GPON is one of the widely used internet and the highest speed, longest life, lowest cost network infrastructure available in the market. Offering a genuine future‐proof access network with flexibility and upgrade capability well into the future.
There is 2 critical vulnerability involved in this flaw and those combined 2 (CVE-2018-10561 & CVE-2018-10562) vulnerabilities allow attacker could take over and gain complete control the device and the network.
- CVE-2018-10561 –a way to bypass all authentication on the devices
- (CVE-2018-10562- command injection vulnerability to execute commands on the device
Mainly this flaw exploits the authentication mechanism using first vulnerability which leads to attack bypass all the authentication.
Bypass Router Using Simple Trick
Primary flow found in HTTP servers that usually check the specific path when performing the authentication process which allows bypassing authentication on any endpoint system with a simple trick.
An attack can bypass the endpoint by just adding ?images/ to the URL which works on both HTML pages and GponForm/.
According to vpnmentor, While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.
Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.
you can see the video that demonstrates the exploitation of the critical RCE flow.
Researchers have tested many of the GPON routers and they find the same flow in so many routers.