Over 1 Million GPON Users Are Unsafe, Be Aware Of New Zero Day Vulnerability – Security@Speaks
Vulnerability: Dassan / GPON routers Remote Code Execution Exploit
There is a way to bypass all authentication on the devices (CVE-2018-10561), was found by VPNMentor. With this authentication bypass, it’s also possible to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device.
Dassan / GPON Home routers consist of two Vulnerabilities, If both vulnerabilities are exploited together, attacker can gain complete control of the device and the network.
It is possible to bypass authentication simply by appending “?images” to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output.
How does the exploit looks like ?
- In this case exploit got 400 bad request and exploit was not successful.
- We can analyze the payload which attacker was trying to execute. Download it from here [ http://52 dot 59 dot 43 dot 117/zyxel dot sh] and analyze through virustotal, in this case payload has been removed from the location, but still we can look for the reputation of the IP: https://www.virustotal.com/#/ip-address/126.96.36.199 , which proves, this is IP has been involved in bad stuffs.
- In this case exploit got 302 found and we can’t say for sure if exploit was successful or not.
- To make sure, we can look for the traffic to IP mentioned in pic: 35 dot 235 dot 102 dot 123, if we don’t see any traffic to this IP, we are sure exploit was unsuccessful, if traffic to this IP is seen, then we need to worry and need to figure out what basically script is doing.
- Here also we can analyze the payload, attacker was trying to execute. Download it from here [ http://35 dot 235 dot 102 dot 123/bins/tmp dot arm ] and analyze it through virustotal : https://www.virustotal.com/#/file/84c451d43c11049d15b72408c734debf23680c28356234597534d45c06bf4949/detection
- In this case fortunately there was no traffic to 35 dot 235 dot 102 dot 123
General Exploit Script: I got one from Github, but it does not restrict here it cam be manipulated in other ways too:
Complete script can be found at: https://github.com/f3d0x0/GPON/blob/master/gpon_rce.py
How to defend against GPON RCE exploits ?
- There is no official patch for the GPON RCE vulnerabilities till date.
- VPN mentor has created an patch, but its not an official patch and they don’t take any responsibility of this patch making any harm. https://www.vpnmentor.com/tools/gpon-router-antidote-patch/, here we can find temporary solution by VPN mentor till the time an official patch comes up in market.