Shulou(Shulou.com)06/01 Report--

How to carry out GPON optical fiber router vulnerability analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Overview of 0x00 vulnerabilities

A few days ago, 360-CERT detected two vulnerabilities in GPON home optical routers disclosed by VPNMentor, involving authentication bypass vulnerabilities (CVE-2018-10561) and command injection vulnerabilities (CVE-2018-10562). The attack chain formed by the two vulnerabilities can execute arbitrary system commands on the device. According to 360-CERT 's QUAKE system mapping, the global impact is in the order of millions, and the relevant vulnerability exploitation code has been made public. We should be on guard against the emergence of botnets that exploit this vulnerability.

GPON technology is a very popular optical fiber non-light source network equipment technology. Most of the home gateways of domestic mainstream operators use GPON and EPON technology. Because the domestic GPON optical fiber router is provided by ISP, it is not obvious to expose the public network stock, but it may still be affected by this vulnerability.

0x01 vulnerability impact surface

Affect the device:

GPON mode home device gateway

0x02 Technical details identity Authentication Bypass CEV-2018-10561

The HTTP server running on the device checks for specific paths when authenticating, which allows attackers to use this feature to bypass authentication on any terminal.

Access is finally obtained by adding a specific parameter-images/, after URL:

Http://ip:port/menu.html?images/

Http://ip:port/GponForm/diag_FORM?images/

Command injection CEV-2018-10562

The device provides diagnostic functions through ping and traceroute

The device is diagnosed, but the user input is not detected. It is directly executed in the form of stitching parameters, resulting in command injection, through reverse quotation marks ``and semicolons; regular command injection can be executed.

The diagnostic function saves the result of command execution in the / tmp directory and the user visits / diag.html

The result is returned, so the execution result can be easily obtained by combining the CVE-2018-10561 authentication bypass vulnerability.

Scope of influence

Through the search of QUAKE assets system, there are as many as 1015870 GPON home gateway devices exposed on the Internet worldwide, of which Mexico, Kazakhstan and Georgia account for the majority. In China, as the number of exposed public networks provided by most devices for operators is not obvious, it is not possible to accurately calculate their impact.

0x03 repair recommendations and mitigation measures

Due to the different routing terminal providers, no unified patches have been released, so we recommend:

Check to confirm whether the home gateway uses GPON, and turn off the external access function of the device.

Actively communicate with operators to obtain the response measures provided by operators.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.