On FiberHome routers used by providers to connect subscribers to GPON optical communication lines, 17 security issues were identified, including the presence of backdoors with predefined credentials that allow remote control of equipment. The issues allow a remote attacker to gain root access to the device without passing authentication.
So far, vulnerabilities have been confirmed in FiberHome HG6245D and RP2602 devices, as well as partially in AN5506-04- * devices, but the issues may affect other router models from this company that have not been tested.
It is observed that, by default, IPv4 access to the administrator interface on the studied devices is limited to the internal network interface, allowing access only from the local network, but at the same time, IPv6 access is not limited in any way, allowing the existing back doors to be used when accessing IPv6 from the external network.
In addition to the web interface that works over HTTP / HTTPS, the devices provide a function for remote activation of the command line interface, to which it can be accessed via telnet.
The CLI is activated by sending a special request over HTTPS with predefined credentials. In addition, a vulnerability (stack overflow) was detected in the http server serving the web interface, exploited by sending a request with a specially formed HTTP cookie value.
FiberHome HG6245D routers are GPON FTTH routers. They are mainly used in South America and Southeast Asia (from Shodan). These devices come at competitive prices but are very powerful, with a lot of memory and storage.
Some vulnerabilities have been successfully tested against other fiberhome devices (AN5506-04-FA, firmware RP2631, April 4, 2019). The fiberhome devices have a fairly similar code base, so other fiber home devices (AN5506-04-FA, AN5506-04-FAT, AN5506-04-F) are likely vulnerable as well.
In total, the researcher identified 17 security problems, of which 7 affect the HTTP server, 6 to the telnet server and the rest are associated with system-wide failures.
The manufacturer was notified of the problems identified a year ago, but no information on a solution has been received.
Among the problems identified are the following:
- Leaked information about subnets, firmware, FTTH connection ID, IP and MAC addresses in the stage before passing authentication.
- Save users' passwords in the registry in clear text.
- Plain text storage of credentials to connect to wireless networks and passwords.
- Stack overflow on HTTP server.
- The presence in the firmware of a private key for SSL certificates, which can be downloaded via HTTPS ("curl https: //host/privkeySrv.pem").
In the first analysis, the attack surface is not huge:
- - only HTTP / HTTPS is listening by default on the LAN
- - It is also possible to enable a telnetd CLI (not accessible by default) on port 23 / tcp by using hard-coded credentials in the web administration interface.Also, due to the lack of firewall for IPv6 connectivity, all internal services will be accessible via IPv6 (from the Internet).
Regarding the backdoor identified for telnet activation, the researcher mentions that http server code contains special request handler "/ Telnet", as well as a "/ fh" handler for privileged access.
Additionally, hard-coded authentication parameters and passwords were found in the firmware. In total, 23 accounts were identified in the http server code, linked to different providers. And as for the CLI interface, in it you can start a separate telnetd process with root privileges on network port 26 by passing a base64 script in addition to defining a general password "GEPON" to connect to telnet.
Finally, if you are interested in knowing more about it, you can check the following link.