Telus Actiontec WEB6000Q Denial Of Service

Posted on 13 June 2019

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.