Satellite → HughesNet Satellite > [Networking] HT1000 URL Parsing Vulnerability in System Control

[Networking] HT1000 URL Parsing Vulnerability in System Control

While exploring the SCC of the HT1000, I found a bug that allowed me to execute arbitrary commands on the HT1000 modem. I disclosed it to HughesNet multiple times over a month-long period and got no response. Tried disclosing it again and it was unfortunately dismissed. I hate going public with things, but, well...here we are.

EDIT: I am not comfortable having the details of the vulnerability here, so I redacted them. The full report is at my blog: »jacksontech.net/index.php/2013/0···ability/ and at the official HughesNet forums: »community.myhughesnet.com/hughes···cc-e0ifx

Re: [Networking] HT1000 URL Parsing Vulnerability in System Cont

Would love to help but due to a lack of trust I refuse to do anything that would put me under contract to Hughes again so I remain on a legacy system.
It does rather sound like you too are learning the "ways" of Hughes. Sad to say but it is not the company it once was or had the promise to be.

I feel safe in saying on the part of the members here at DSLR we do value the information you share here on the forum.
I'm sure a Gen4 user will be along to assist.

I get the same screen as you have when I go to the url listed
I am on a HT1000 modem
--
HT1000 Beam 23

»community.myhughesnet.com/hughes···cc-e0ifx

I posted on the HN support forums.

24 x $15 = $360 what the contract cost you to get out. i.e. 24 times $15. pretty cheap in my book. Every month it goes down $15 bucks. a NO BRAINER.

To whom are you replying to within this thread ?
I assume you are referring to ETF ?

That's quite an interesting find Jackson Tech, and I can confirm this behavior on my HT1000. It seems that I can get the time with the 'date' command.

Command cannot be executed. URI: /wac_userdisable query: Mon Sep 2 22:33:07 UTC 2013

JacksonTech has removed his blog and his topic has been removed on the HughesNet Community, and I think that's a quite a good idea. In case didn't someone did read my reply, when JacksonTech was asked for a case number after numerous attempts to report a "vulnerability", I suggested that HughesNet technical support needs a case number for themselves. Suz now seems to agree with me: "We'd like to speak with you to see who you disclosed this to that didn't respond back."

On the off chance that someone reading this finds a similar vulnerability and doesn't know what to do, report it to CERT: »www.cert.org/contact_cert/

In truth I don't think that Suz ever did grasp the fact that JT was reporting a vulnerability rather than stating he had a problem.
Reading comprehension being what it is in Germantown.

JacksonTech, So now that the posts of the hughesnet and your own blog have been pulled perhaps you can tell us what Hughes said so it does not look like a cover up.

I received an email from Executive Customer Care a few days ago shortly after the thread was deleted; the message asked to call them (or give a contact phone number) so we could discuss why my emails may not have gone through.

My work schedule is keeping me on my feet, so I didn't want to take up time with a phone call; instead, I responded thank you very much, etc, etc. I also noted that I suspected that at least one email DID get through, since the bug was not present in the HT1100. (I am assuming that, if the HT1100 was based on the HT1000's firmware code, and if it ships with a newer version of the firmware code, and if the bug does not show up in the HT1100's user interface, therefore the bug was fixed recently. But it's just a guess.)

I would wager that my original emails didn't get a response back (although I requested one) because whatever department eventually received the email probably does not want a customer to have their email address. Could you imagine the torrent of emails towards any inbox that customers might even *think* would bypass the call centers and go directly towards a HughesNet engineer? The mail servers might crash from the load. :P

I haven't received a response back from ECC yet.

At any rate, I removed the post from my blog because that's not the sort of thing I want to have on my web space. I use the blog to post useful information that might help people, and I believe that that post would not have helped people had it remained.