I discovered an exploit that allows access to the sh shell on the Vivo Fibra modem. This method essentially involves terminating the aspsh shell and invoking sh using the output of cat /dev/null. Using the pipe (|) is crucial for this exploit, it is the base of the exploit.
- Model: Askey RTF8225VW
- Software Version: BR_SG_g1.13_RTF_TEF004_V2.35
- Revision: REV3
- CLI Version: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)
- System Info: Linux (none) 4.4.115
To begin, access the modem by connecting to support@{modem's IP} via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The support user has privileged access, but the password is the same as the admin password.
You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with aspsh, a very limited shell designed for technical services. Its purpose is to prevent you from using sh or bash for security reasons.
The critical part begins here: the only Unix-like programs you can execute are ls, top, cat, and free. There are other programs available in aspsh, but they are not useful for this exploit.
cat /dev/null | kill $(ps | grep aspsh | awk '{print $1}' | head -n 1) && sh
In aspsh, enter the following command:
cat /dev/null | ps | grep aspsh
This command helps you discover the process ID of aspsh -k or aspsh . The cat /dev/null command returns nothing, allowing you to execute ps and grep aspsh. The output should look something like this:
2298 support 13612 S aspsh -k
27492 support 13608 S -aspsh
31961 support 3308 S sh -c cat /dev/null | ps | grep aspsh
31964 support 3312 S grep aspsh
Once you have identified the process ID, you can terminate the aspsh loop that restricts your access.
Next, run the command:
cat /dev/null | kill 2298 (PID) && sh
PID varies. you should check it before trying to kill aspsh. maybe in other devices you will need to kill [aspsh] or aspsh instead of aspsh -k in this case.
In this command, cat /dev/null still returns nothing, allowing you to use its output to kill the aspsh -k process. The && sh part then invokes sh in its place.
And that's it! You now have access to sh, providing you with unlimited possibilities for manipulating your modem.
If someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like rm -rf /, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.