Headline
Vivo Fibra Askey RTF8225VW Command Execution
The Vivo Fibra Askey RTF8225VW modem suffers from an input validation vulnerability that allows for full escalation to a functioning shell once logged in and using the restricted aspsh shell.
---# Exploit 1## Documentation on the Vivo Fibra Modem ExploitI discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.## Known Affected Devices- **Model**: Askey RTF8225VW - **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35 - **Revision**: REV3 - **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware) - **System Info**: Linux (none) 4.4.115 ## The ExploitTo begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.## How to Execute the ExploitIn `aspsh`, enter the following command:```aspshcat /dev/null | ps | grep aspsh```This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:```2298 support 13612 S aspsh -k27492 support 13608 S -aspsh31961 support 3308 S sh -c cat /dev/null | ps | grep aspsh31964 support 3312 S grep aspsh```Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.Next, run the command:```aspshcat /dev/null | kill 2298 && sh```In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.## Why This Exploit Is DangerousIf someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.---