7.5
CVSSv2

CVE-2018-10562

Published: 04/05/2018 Updated: 03/10/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 760
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

An issue exists on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

Vulnerability Trend

Affected Products

Vendor Product Versions
DasannetworksGpon Router Firmware-

Vendor Advisories

Summary Multiple GPON Home Routers could allow a remote attacker to execute arbitrary commands on the system, caused by the ping and trace route commands running at root level on the diagnostic page An attacker could exploit this vulnerability using the host parameter to inject and execute arbitrary commands on the system with root privileges A ...

Exploits

#!/bin/bash echo "[+] Sending the Command… " # We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null echo "[+] Waiti ...

Github Repositories

GPON_RCE Exploit for Remote Code Execution on GPON home routers (CVE-2018-10562) written in Python

GPON-LOADER Exploit loader for Remote Code Execution w/ Payload on GPON Home Gateway devices (CVE-2018-10562) written in Python Dependencies requests Usage python gpon-loaderpy <listtxt>

CVE-2018-10562 CVE-2018-10562 exploit About RCE on GPON home routers [*]CVE-2018-10561:Authentication Bypass [*]CVE-2018-10562: Command Injection Dependencies required requests urllib2 ssl re Screenshots

PINGPON EXPLOIT Author: @037 Pingpon is a tool used to obtain thousands of vulnerable GPON home routers using Shodanio to then execute any Linux command on using a remote code execution flaw (CVE-2018-10562) DISCLAIMER I am NOT responsible for any damages caused or any crimes committed by using this tool Original Script: githubcom/f3d0x0/GPON Prerequisites You're req

RCE on GPON home routers (CVE-2018-10561) Press The Hacker News - 1 The Hacker News - 2 KitPloit Security Affairs Vulnerability Many routers today use GPON internet, and a way to bypass all authentication on the devices (CVE-2018-10561) was found by VPNMentor With this authentication bypass, it's also possible to unveil another command injection vulnerability (CVE-2018-1

RCE on GPON home routers (CVE-2018-10561) Press The Hacker News - 1 The Hacker News - 2 KitPloit Security Affairs Vulnerability Many routers today use GPON internet, and a way to bypass all authentication on the devices (CVE-2018-10561) was found by VPNMentor With this authentication bypass, it's also possible to unveil another command injection vulnerability (CVE-2018-1

RCE on GPON home routers (CVE-2018-10561) Press The Hacker News - 1 The Hacker News - 2 KitPloit Security Affairs Vulnerability Many routers today use GPON internet, and a way to bypass all authentication on the devices (CVE-2018-10561) was found by VPNMentor With this authentication bypass, it's also possible to unveil another command injection vulnerability (CVE-2018-1

RCE on GPON home routers (CVE-2018-10561) Press The Hacker News - 1 The Hacker News - 2 KitPloit Security Affairs Vulnerability Many routers today use GPON internet, and a way to bypass all authentication on the devices (CVE-2018-10561) was found by VPNMentor With this authentication bypass, it's also possible to unveil another command injection vulnerability (CVE-2018-1

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

No description, website, or topics provided.

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Inside the Hoaxcalls Botnet: Both Success and Failure
Threatpost • Tara Seals • 28 May 2020

The Hoaxcalls botnet, built to carry out large-scale distributed denial-of-service (DDoS) attacks, has been actively in development since the beginning of the year. One of its hallmarks is that it uses different vulnerability exploits for initial compromise.
Researchers, however, have discovered that it’s been a hit-or-miss journey for its operators when it comes to the bugs they choose – while at the same time, they’ve had to reboot after takedowns.
“The Hoaxcalls campaign h...

GPON Routers Attacked With New Zero-Day
BleepingComputer • Catalin Cimpanu • 21 May 2018

Attacks on Dasan GPON routers are continuing to happen using two vulnerabilities disclosed last month, but today, researchers from Qihoo 360 Netlab have revealed that one botnet operator appears to have deployed a new zero-day affecting the same router types.
The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.
"We tested this payload on two different versions of [Dasan] GPON home router," the Net...

Botnet Party on GPON Routers
BleepingComputer • Catalin Cimpanu • 10 May 2018

At least five IoT botnets are fighting each other and attempting to infect Dasan GPON routers, according to Chinese cyber-security firm Qihoo 360 Netlab.
The five botnets are known under codenames such as Hajime, Mettle, Mirai, Muhstik, and Satori.
The devices they are trying to take over are GPON-capable routers manufactured by South Korean vendor Dasan. GPON stands for Gigabit Passive Optical Network and is a type of telecommunications technology for supporting internet connections...

Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack
BleepingComputer • Catalin Cimpanu • 04 May 2018

Two vulnerabilities affecting over one million routers, and disclosed earlier this week, are now under attack by botnet herders, who are trying to gather the vulnerable devices under their control.
Attacks started yesterday, Thursday, May 3, according to Netlab, the network security division of Chinese cyber-security vendor Qihoo 360.
Exploitation of these two flaws started after on Monday, April 30, an anonymous researcher published details of the two vulnerabilities via the VPNMent...

Millions of Home Fiber Routers Vulnerable to Complete Takeover
Threatpost • Tara Seals • 01 May 2018

UPDATE
Consumers lucky enough to have blazing-fast 1Gbps internet access in their homes are likely to use the internet more than lower-broadband households; however, millions of them are at risk for hackers to gain wide-ranging access to their internet activities (including being able to view full browsing histories).
A comprehensive assessment of various GPON home routers by vpnMentor has uncovered a way to bypass all authentication on the devices (CVE-2018-10561). That flaw can be ...