-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q< -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15555 (Main OS)
CVE: CVE-2018-15556 (Quantenna OS)


### Summary of Findings

Both “main” and “quantenna” have a UART header on the motherboard and
each of them provide full shell + bootloader access.

While the main OS has the credentials user: root pass: admin, the
quantenna environment can be accessed with user: root with an empty
password.

I used a Raspberry Pi to interface with the UART header, but there are
USB UART adapters to do the same thing.

Once root access is obtained, TR-069 Updating can be fully disabled,
preventing the vendor from pushing updates to the device.


### Proof of Concept

Hooking up a Raspberry Pi's UART GPIO header to either UART header on
the modem will give a login prompt. root/admin or root/(nopass)
depending on which modem header connected to.


### Enabling SSH daemon on Main OS

After retrieving a root shell on the main OS over UART, SSH can be
enabled by running the following:

# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
dropbear -p 22 -I 1800 &


$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1
admin@192.168.1.2's password:

BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#








-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ
fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI
J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI
rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq
MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp
WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX
6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU
O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h
ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj
P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0
ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN
jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=
=POu3
-----END PGP SIGNATURE-----




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15557


### Summary of Findings

Two instances of Linux run on the WEB6000Q. One is the “main” instance
that runs the web management server, TR-069 daemon, etc., while the
other is the "quantenna" management OS used to manage the wireless.

By hardcoding an IP address in the 169.254.1.0/24 network, and being on
the same layer 2 network, root telnet access can be obtained on the
"quantenna" management environment by accessing:

Host: 169.254.1.2
Port: 23
Login: root (no password prompted)


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ
fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9
++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5
khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq
xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0
GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu
T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv
nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1
PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq
TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u
10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo
tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk=
=KDej
-----END PGP SIGNATURE-----