-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathbastille-25.atom-telnet.txt
50 lines (21 loc) · 1.39 KB
/
bastille-25.atom-telnet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Bastille Tracking Number 25
CVE-2017-9482
Overview
A vulnerability has been discovered that enables an attacker to gain a root shell to the network processor (Atom) Linux instance of a gateway.
Affected Platforms
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Proof-of-Concept
An attacker with the ability to launch applications on a gateway (Bastille Tracking Number 22) can enable Telnet on the internal IP address of the NP (Atom) Linux instance as follows:
sysevent --port 52367 --ip 10.0.0.1 async eRT /fss/gw/usr/ccsp/dmcli Device.WiFi.X_CISCO_COM_EnableTelnet bool true
sysevent --port 52367 --ip 10.0.0.1 set eRT setv
After running the above commands, a Telnet server is running on 169.254.101.2, which is normally inaccessible to clients on the LAN, however this can be routed to via 10.0.0.254 (Bastille Tracking Number 24).
An attacker can then gain a root shell on the NP (Atom) Linux instance from the LAN or private Wi-Fi AP.
Test Environment
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Mitigation
There is no apparent mechanism to allow Comcast customers to prevent access to the NP internal IP address or control the Telnet server.
Recommended Remediation
Update the firewall rules to prevent access to the NP internal IP address from the LAN.
Credits
Marc Newlin and Logan Lamb, Bastille
Chris Grayson, Web Sight.IO