ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit

Title: ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit
Advisory ID: ZSL-2021-5647
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 01.04.2021
EONU-x GEPON ONU layer-3 home gateway/CPE broadband router.
The application suffers from a privilege escalation vulnerability. The limited administrative user (admin:admin) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities.
Zhejiang BC&TV Technology Co., Ltd. (ZBL) - http://www.zblchina.com
W&D Corporation (WAD TECHNOLOGY (THAILAND)) - http://www.wd-thailand.com
Affected Version
Firmwre: V100R001
Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
EONU Hardware Version V3.0
Software: V2.46.02P6T5S
Main Chip: RTL9607
Master Controller, Copyright (c) R&D
Tested On
GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Vendor Status
[31.01.2021] Vulnerability discovered.
[01.02.2021] Contact with the vendor.
[01.04.2021] No response from the vendor.
[01.04.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://packetstormsecurity.com/files/162065/
[2] https://www.exploit-db.com/exploits/49737
[3] https://cxsecurity.com/issue/WLB-2021040010
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/199302
[01.04.2021] - Initial release
[02.04.2021] - Added reference [1], [2] and [3]
[06.04.2021] - Added reference [4]
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk