83 matches found
Code injection
An issue was discovered in the Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 devices. An attacker can statically set his/her IP to anything on the 169.254.1.0/24 subnet, and obtain root access by connecting to 169.254.1.2 port 23 with telnet/netcat...
CVE-2018-15556
CVE-2018-15556 affects the Quantenna WiFi Controller in Telus Actiontec WEB6000Q (firmware v1.1.02.22). An attacker can log in as root with an empty password via the onboard UART headers, enabling full shell access. Public PoC material exists (PacketStorm/full disclosure) describing UART-based pr...
CVE-2018-15556
The Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 allows login with root level access with the user "root" and an empty password by using the enabled onboard UART headers...
CVE-2018-15557
An issue was discovered in the Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 devices. An attacker can statically set his/her IP to anything on the 169.254.1.0/24 subnet, and obtain root access by connecting to 169.254.1.2 port 23 with telnet/netcat...
CVE-2018-15557
CVE-2018-15557 affects the Quantenna WiFi Controller in Telus Actiontec WEB6000Q devices (firmware v1.1.02.22). The issue allows an attacker with access to the 169.254.1.0/24 link-local subnet to obtain root by connecting to 169.254.1.2 on TCP port 23 (telnet/netcat). Documents corroborate a priv...
Code injection
An issue was discovered on Actiontec T2200H T2200H-31.128L.08 devices, as distributed by Telus. By attaching a UART adapter to the UART pins on the system board, an attacker can use a special key sequence Ctrl-\ to obtain a shell with root privileges. After gaining root access, the attacker can...
CVE-2019-12789
An issue was discovered on Actiontec T2200H T2200H-31.128L.08 devices, as distributed by Telus. By attaching a UART adapter to the UART pins on the system board, an attacker can use a special key sequence Ctrl-\ to obtain a shell with root privileges. After gaining root access, the attacker can...
CVE-2019-12789
CVE-2019-12789 affects the Actiontec/Telus T2200H devices (T2200H-31.128L.08). By attaching a UART adapter to system-board UART pins and issuing the key sequence Ctrl-, an attacker can obtain a root shell. This permits mounting the filesystem read-write and making permanent modifications, includi...
Telus Actiontec WEB6000Q Elevation of Privilege Vulnerability
The Actiontec WEB6000Q is a wireless extender from Actiontec USA. A security vulnerability exists in the Quantenna WiFi Controller in the Telus Actiontec WEB6000Q version 1.1.02.22. An attacker can exploit the vulnerability to log in with root access...
Telus Actiontec WEB6000Q elevation of privilege vulnerability (CNVD-2019-39178)
The Actiontec WEB6000Q is a wireless extender from Actiontec USA. A security vulnerability exists in the Quantenna WiFi Controller in the Telus Actiontec WEB6000Q version 1.1.02.22. An attacker can exploit the vulnerability to log in with root access...
Telus Actiontec T2200H Local Privilege Escalation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Discovered By: Andrew Klaus [email protected] Vendor: Actiontec Telus Branded Model: T2200H Affected Firmware: T2200H-31.128L.08 Device Manual: http://static.telus.com/common/cms/files/internet/telust2200husermanu al.pdf Reported: Sept...
Telus Actiontec WEB6000Q Privilege Escalation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Discovered By: Andrew Klaus [email protected] Vendor: Actiontec Telus Branded Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15555 Main OS CVE: CVE-2018-15556 Quantenna OS Summary of Findings Both “main”...
Telus Actiontec T2200H Local Elevation of Privilege Vulnerability
The Actiontec Electronics T2200H is a modem from Actiontec Electronics, USA. A security vulnerability exists in the Actiontec Electronics T2200H T2200H-31.128L.08 release. The vulnerability can be exploited by an attacker to obtain a shell with root privileges to permanently modify the device,...
Telus Actiontec T2200H Serial Number Information Disclosure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Vendor: Actiontec Telus Branded, but may work on others Model: T2200H Affected Firmware: T2200H-31.128L.08 Device Manual: http://static.telus.com/common/cms/files/internet/telust2200husermanu al.pdf Reported: Sept 2018 CVE: Not needed...
Telus Actiontec T2200H WiFi Credential Disclosure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Discovered By: Andrew Klaus [email protected] Vendor: Actiontec Telus Branded, but may work on others Model: T2200H but very likely affecting other models of theirs Affected Firmware: T2200H-31.128L.08 Device Manual:...
Telus Actiontec WEB6000Q Serial Number Information Disclosure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Discovered By: Andrew Klaus [email protected] Vendor: Actiontec Telus Branded, but may work on others Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: Sept 2018 CVE: Not needed since update is pushed by the provider. Summary of...
Telus Actiontec WEB6000Q Denial Of Service
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Device Details Discovered By: Andrew Klaus [email protected] Vendor: Actiontec Telus Branded Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: Not needed since update is pushed by the provider. Summary of Findings By querying CGI...
Telus Actiontec T2200H Command Injection Vulnerability
The Telus Actiontec T2200H is a modem device from Telus USA. A command injection vulnerability exists in the fileshare.cmd file in the Telus Actiontec T2200H using firmware version T2200H-31.128L.03. An attacker can exploit this vulnerability to inject operating system commands with the help of...
CVE-2018-15553
fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allows OS Command Injection via shell metacharacters in the smbdUserid or smbdPasswd field...
Command injection
fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allows OS Command Injection via shell metacharacters in the smbdUserid or smbdPasswd field...