Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery

2017-07-12T00:00:00
ID ZSL-2017-5422
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-07-12T00:00:00

Description

Title: Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery
Advisory ID: ZSL-2017-5422
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 12.07.2017

Summary

H64xx is comprised of one G-PON uplink port and four ports of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It helps service providers to extend their core optical network all the way to their subscribers, eliminating bandwidth bottlenecks in the last mile. H64xx is integrated device that provide the high quality Internet, telephony service (VoIP) and IPTV or OTT content for home or office. H64xx enable the subscribers to make a phone call whose quality is equal to PSTN at competitive price, and enjoy the high quality resolution live video and service such as VoD or High Speed Internet.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain, if not all actions with administrative privileges if a logged-in user visits a malicious web site.

Vendor

Dasan Networks - <http://www.dasannetworks.com>

Affected Version

Model:
H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G

Firmware:
3.03p1-1145
3.03-1144-01
3.02p2-1141
2.77p1-1125
2.77-1115
2.76-9999
2.76-1101
2.67-1070
2.45-1045

Tested On

Server: lighttpd/1.4.31
Server: DasanNetwork Solution

Vendor Status

[19.05.2017] Vulnerability discovered.
[30.05.2017] Vendor contacted.
[30.05.2017] Vendor replied asking more details.
[31.05.2017] Sent details to the vendor.
[01.06.2017] Vendor provides latest firmware version 3.03-1144-01.
[01.06.2017] Working with the vendor.
[05.07.2017] Vendor responds that the 3.03 version has some fixes like backup file password security. Vendor asks if it's possible to test on latest version.
[05.07.2017] Replied to the vendor that if they provide a sample, we can execute.
[05.07.2017] Vendor provides public IP access to test version 3.03p1-1145. Config download fixed with 7z password protection.
[05.07.2017] Informed the vendor about the other issues.
[05.07.2017] Vendor replied.
[13.07.2017] Asked vendor for status update.
[13.07.2017] Vendor will fix remaining issues in next FW release. No confirmed date for new release.
[13.07.2017] Coordinated public security advisory released.

PoC

dasan-h64_csrf.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/42321/>
[2] <https://cxsecurity.com/issue/WLB-2017070103>
[3] <https://packetstormsecurity.com/files/143353>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/129749>

Changelog

[12.07.2017] - Initial release
[01.08.2017] - Added reference [1], [2] and [3]
[15.11.2017] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;