Fiberhome AN5506 OS Command Injection (CVE-2021-42912)
--
FiberHome ONU GPON AN5506 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.
Hello, guys! So, here I share info about a new vulnerability in Fiberhome ONU GPON reported by me and how it works.
Affected Versions
DEVICE MODEL SOFTWARE VER.
AN5506-01-A RP0509
AN5506-01-B RP2610
AN5506-02-B RP2520
AN5506-02-B RP2521
AN5506-02-B RP2603
AN5506-04-B RP2510
AN5506–04-F RP2617
AN5506-04-G2G RP2560Firstly, I’ll explain how I got to this vulnerability.
I was having some problems with my internet connection, specifically with ping packets, I couldn’t ping any internet address, neither from my operating system nor from my virtual machine or system booted in live mode. So, to understand what was happening on I decided to perform ping diagnosis from my router and was here that all start.
Initially I didn’t think to exploit or something like. But the response time each packet induced me to try to change the quantities of replies so that replied with only one packet.. and I got success.
How should this be run on the server side:
ping -c 1 8.8.8.8After realizing that I had a OS command injection vulnerability on my hands I tried to bypass ping command and execute commands directly.
On the linux operating system, in particular, it is possible to concatenate the execution of commands using semicolon.
Example: ping -c 1 8.8.8.8; whoamiSo I bypass with the following command:
ping ;whoami;id; cat /proc/versionIn the source code of the page (/application/ping_diagnosis.asp) I found these functions in javascript that refer to the ping function.
Apparently there are some validations in the IP address field (ping_ip), but only one of the rules is specific to prevent entries with the pipe “|” character.
For the challenge, I tried to bypass this validation with url encode and it was also possible to run commands.
This vulnerability is only possible because of non-validation of user input.
Reference: https://portswigger.net/web-security/os-command-injection
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42912
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-42912
*The vendor was contacted on 10/2021 via e-mail, but so far there have been no responses.








