← Advisories

Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery

Medium

Advisory ID

ZSL-2017-5422

Release Date

12 July 2017

Vendor

Dasan Networks - http://www.dasannetworks.com

Affected Version

Model:, H640GR-02, H640GV-03, H640GW-02, H640RW-02, H645G, Firmware:, 3.03p1-1145, 3.03-1144-01, 3.02p2-1141, 2.77p1-1125, 2.77-1115, 2.76-9999, 2.76-1101, 2.67-1070, 2.45-1045

CVE

N/A

Tested On

Server: lighttpd/1.4.31, Server: DasanNetwork Solution

Summary

H64xx is comprised of one G-PON uplink port and four ports of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It helps service providers to extend their core optical network all the way to their subscribers, eliminating bandwidth bottlenecks in the last mile. H64xx is integrated device that provide the high quality Internet, telephony service (VoIP) and IPTV or OTT content for home or office. H64xx enable the subscribers to make a phone call whose quality is equal to PSTN at competitive price, and enjoy the high quality resolution live video and service such as VoD or High Speed Internet.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain, if not all actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

dasan-h64_csrf.txtTXT

Disclosure Timeline

19.05.2017Vulnerability discovered.

30.05.2017Vendor contacted.

30.05.2017Vendor replied asking more details.

31.05.2017Sent details to the vendor.

01.06.2017Vendor provides latest firmware version 3.03-1144-01.

01.06.2017Working with the vendor.

05.07.2017Vendor responds that the 3.03 version has some fixes like backup file password security. Vendor asks if it's possible to test on latest version.

05.07.2017Replied to the vendor that if they provide a sample, we can execute.

05.07.2017Vendor provides public IP access to test version 3.03p1-1145. Config download fixed with 7z password protection.

05.07.2017Informed the vendor about the other issues.

05.07.2017Vendor replied.

13.07.2017Asked vendor for status update.

13.07.2017Vendor will fix remaining issues in next FW release. No confirmed date for new release.

13.07.2017Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/42321/

[2]https://cxsecurity.com/issue/WLB-2017070103

[3]https://packetstormsecurity.com/files/143353

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/129749

Changelog

12.07.2017Initial release

01.08.2017Added reference [1], [2] and [3]

15.11.2017Added reference [4]