HackDig : Dig high-quality web security articles for hacker

Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery

2017-07-13 18:20
Title: Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery
Advisory ID: ZSL-2017-5422
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 12.07.2017
Summary
H64xx is comprised of one G-PON uplink port and four portsof Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). Ithelps service providers to extend their core optical network all theway to their subscribers, eliminating bandwidth bottlenecks in thelast mile. H64xx is integrated device that provide the high qualityInternet, telephony service (VoIP) and IPTV or OTT content for homeor office. H64xx enable the subscribers to make a phone call whosequality is equal to PSTN at competitive price, and enjoy the highquality resolution live video and service such as VoD or High SpeedInternet.
Description
The application interface allows users to perform certain actionsvia HTTP requests without performing any validity checks to verify therequests. This can be exploited to perform certain, if not all actionswith administrative privileges if a logged-in user visits a maliciousweb site.
Vendor
Dasan Networks - http://www.dasannetworks.com
Affected Version
Model:
H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G

Firmware:
3.03p1-1145
3.03-1144-01
3.02p2-1141
2.77p1-1125
2.77-1115
2.76-9999
2.76-1101
2.67-1070
2.45-1045
Tested On
Server: lighttpd/1.4.31
Server: DasanNetwork Solution
Vendor Status
[19.05.2017] Vulnerability discovered.
[30.05.2017] Vendor contacted.
[30.05.2017] Vendor replied asking more details.
[31.05.2017] Sent details to the vendor.
[01.06.2017] Vendor provides latest firmware version 3.03-1144-01.
[01.06.2017] Working with the vendor.
[05.07.2017] Vendor responds that the 3.03 version has some fixes like backup file password security. Vendor asks if it's possible to test on latest version.
[05.07.2017] Replied to the vendor that if they provide a sample, we can execute.
[05.07.2017] Vendor provides public IP access to test version 3.03p1-1145. Config download fixed with 7z password protection.
[05.07.2017] Informed the vendor about the other issues.
[05.07.2017] Vendor replied.
[13.07.2017] Asked vendor for status update.
[13.07.2017] Vendor will fix remaining issues in next FW release. No confirmed date for new release.
[13.07.2017] Coordinated public security advisory released.
PoC
dasan-h64_csrf.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[12.07.2017] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk


Source: php.2245-7102-LSZ/seitilibarenluv/ne/km.ecneicsorez.www

Read:3579 | Comments:0 | Tags:No Tag

“Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud