Author：dawu@Knownsec 404 Team
Date: May 4, 2018
Chinese Version: https://paper.seebug.org/593/
On April 30,2018,
vpnMentor released the high-risk vulnerability of the
GPON router: Validation Bypass Vulnerability (CVE-2018-10561) and Command Injection Vulnerability (CVE-2018-10562). With these two vulnerabilities, you can simply execute a command on the
GPON Router by sending a single request. Based on the recurrence of this vulnerability, this paper analyzes the reason for the existence of its related vulnerabilities.
0x01 Vulnerability File Location
For the remote command execution vulnerability, using the
ps command can locate the vulnerability accurately.
It can be clearly seen that the process 14650 executed our command and found the previous process
14649 root /bin/WebMgr -p 20 -s 0. Because
pid is incremented, it is likely that the
/bin/WebMgr file has a vulnerability.
0x02 Vulnerability Analysis
After getting the
/lib/ files of a device, we start the analysis.
2.1 Before Analysis
Before the analysis, I've studied how the vunerability was exploited and the web server was found to be
According to the
Server field, the version of the web server <=
GoAhead 2.5.0 (
GoAhead 3.x version of
Server defaults to
After trying the existing vulnerabilities of
GoAhead 2.x series(https://www.seebug.org/search/?keywords=goahead&page=2) with no results, I thought that the web server may have got a secondary development based on the
2.2 Verifying Bypass Vulnerabilities
ida and found that the function flow is not complete, so I used a simple and rude way to directly search for
images/ and located the function
But this function is not called in
WebMgr, so here we can make a reasonable guess with the vulnerability:
When the function returns 0, it means no verification is required
Combined with the function logic, we can know that when
script/, it can also bypass the verification.
2.3 Command Execution Vulnerability
Since I have read the source code of
GoAhead 2.1.8 before, I knew that the logic of
cgi defined in
First define the function to be called by different cgi interface through websFormDefine, then load websFormHandler through websUrlHandlerDefine
websFormDefine((int)"FLoidForm", (int)sub_1C918); websUrlHandlerDefine("/GponForm", 0, 0, &websFormHandler, 0);
This means when
url starts with
/GponForm, it will be processed by
websFormHandler will look for various paths defined by
websFormDefine() and then call the corresponding function. Here, when you access
sub_1C918 is called to complete the related operations.
exp, the command execution is finally implemented by sending a request to
/GponForm/diag_Form. According to the above, you can find that
/GponForm/diag_Form calls the function
sub_1A390. Combined with the call flow of
system(), we can know that
sub_1A684 and finally executes the command through
According to the process analysis as shown below:
sub_1A684, it is mainly judged whether the incoming
dest_host is legal. If it is illegal or cannot be resolved, it will be processed as follows:
This can also be verified from the results of our first diagram: Execution of the
0x03 Scope of Influence
According to the detection result of
ZoomEye Cyberspace Search Engine, a total of
2141183 routers may be affected by this vulnerability.
The relevant country distribution is as shown:
After analyzing the vulnerability, we tried to find the vendor to which the router belongs. Under
/web/images/, we found a number of domestic and foreign vendors'
logo, but there was no other evidence that these routers belong to these vendors.
After consulting other materials, we prefer that these routers are products of
ODM. Because it is difficult to find a manufacturer, the repair work will be more difficult. Because the vulnerability has a wide range of impacts, it is easy to use and has great harm. It is very likely that major botnet families will include this vulnerability in their utilization library, and we should be vigilant to this.
vpnMentorhave released the vulnerability of the
Seebug vulnerability platformhave recorded this vulnerability
- Results from
ZoomEye cyberspace search engine
About Knownsec & 404 Team
Beijing Knownsec Information Technology Co., Ltd. was established by a group of high-profile international security experts. It has over a hundred frontier security talents nationwide as the core security research team to provide long-term internationally advanced network security solutions for the government and enterprises.
Knownsec's specialties include network attack and defense integrated technologies and product R&D under new situations. It provides visualization solutions that meet the world-class security technology standards and enhances the security monitoring, alarm and defense abilities of customer networks with its industry-leading capabilities in cloud computing and big data processing. The company's technical strength is strongly recognized by the State Ministry of Public Security, the Central Government Procurement Center, the Ministry of Industry and Information Technology (MIIT), China National Vulnerability Database of Information Security (CNNVD), the Central Bank, the Hong Kong Jockey Club, Microsoft, Zhejiang Satellite TV and other well-known clients.
404 Team, the core security team of Knownsec, is dedicated to the research of security vulnerability and offensive and defensive technology in the fields of Web, IoT, industrial control, blockchain, etc. 404 team has submitted vulnerability research to many well-known vendors such as Microsoft, Apple, Adobe, Tencent, Alibaba, Baidu, etc. And has received a high reputation in the industry.
本文由 Seebug Paper 发布，如需转载请注明来源。本文地址：https://paper.seebug.org/983/