Title: ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit
Advisory ID: ZSL-2021-5647
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 01.04.2021

Summary

EONU-x GEPON ONU layer-3 home gateway/CPE broadband router.

Description

The application suffers from a privilege escalation vulnerability. The limited administrative user (admin:admin) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities.

Vendor

Zhejiang BC&TV Technology Co., Ltd. (ZBL) - http://www.zblchina.com
W&D Corporation (WAD TECHNOLOGY (THAILAND)) - http://www.wd-thailand.com

Affected Version

Firmwre: V100R001
Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
EONU Hardware Version V3.0
Software: V2.46.02P6T5S
Main Chip: RTL9607
Master Controller, Copyright (c) R&D

Tested On

GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN

Vendor Status

[31.01.2021] Vulnerability discovered.
[01.02.2021] Contact with the vendor.
[01.04.2021] No response from the vendor.
[01.04.2021] Public security advisory released.

PoC

zbl_router_privs.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/162065/
[2] https://www.exploit-db.com/exploits/49737
[3] https://cxsecurity.com/issue/WLB-2021040010
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/199302

Changelog

[01.04.2021] - Initial release
[02.04.2021] - Added reference [1], [2] and [3]
[06.04.2021] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk