来源

关联漏洞

描述

 POC VIDEO -  https://youtu.be/hNzmkJj-ImM?si=NF0yoSL578rNy7wN

介绍

# CVE-2024-30973 - V-SOL (G/EPON ONU - HG323AC-B)

# Description Item: 
```
Item: G/EPON ONU
Specification: HG323AC-B
Device model      XPON+2GE+1POTS+2WIFI+USB
Device SN   70B64F-1234570B64F0C2C0C
Hardware Version  V1.0
Firmware Version  V2.0.08-210715
PON S/N     GPON000C2C0C
```

## Vulnerability Type:
Incorrect Access Control

## Description Vulnerability:
To exploit the vulnerability, it is necessary to be authenticated with a low-privileged user, as it will be possible to execute administrator functions (Disable firewall and enable SSH or Telnet,etc).
After obtaining credentials, it will be necessary to retrieve the token mask of your current user by accessing the directory `http://IP/boaform/getASPdata/FMask.`

With the valid token, you can assemble a POST request to disable the firewall with the token of your user that does not have this permission. The directory to disable the firewall is `/boaform/getASPdata/formFirewall` with the parameters `FirewallLevel=0&DosEnable=0&csrfMask=USER ID`.
As a result, the application will respond with a SUCCESS.

With the firewall disabled, you can enable SSH through another POST request in the directory `/boaform/getASPdata/formAcc` - with the parameter `l_ssh SSH` equals to 1
This way, you can disable the firewall, enable SSH, and log in with your user through SSH.
The application does not handle user correctly.


## Impact Vulnerability:
The Vulnerability allows a non priviliged user disable all of the firewall rules, open any avalible service (SSH, TELNET, FTP) and connect to it, causing RCE through SSH. Only do it against infrastructure for which you have recieved permission to test.

### POC VIDEO -  https://youtu.be/hNzmkJj-ImM?si=HXTD3X0lMlA88AzH

### See Also:
 - [V-SOL G/EPON HG323AC-B](https://www.vsolcn.com/product/2ge-1pots-wifi5-1usb-mesh-onu-hg323acb)

文件快照

 [4.0K]  /data/pocs/a1176a12d6d99cdee92d99c1fd5b23dfbc4b7c2b
└── [1.8K]  README.md

0 directories, 1 file

备注