Fiberhome AN5506 OS Command Injection (CVE-2021-42912)

Windsor Moreira
3 min readDec 15, 2021

--

FiberHome ONU GPON AN5506 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.

Hello, guys! So, here I share info about a new vulnerability in Fiberhome ONU GPON reported by me and how it works.

     Affected Versions
DEVICE MODEL SOFTWARE VER.
AN5506-01-A RP0509
AN5506-01-B RP2610
AN5506-02-B RP2520
AN5506-02-B RP2521
AN5506-02-B RP2603
AN5506-04-B RP2510
AN5506–04-F RP2617
AN5506-04-G2G RP2560

Firstly, I’ll explain how I got to this vulnerability.

I was having some problems with my internet connection, specifically with ping packets, I couldn’t ping any internet address, neither from my operating system nor from my virtual machine or system booted in live mode. So, to understand what was happening on I decided to perform ping diagnosis from my router and was here that all start.

Ping diagnosis page

Initially I didn’t think to exploit or something like. But the response time each packet induced me to try to change the quantities of replies so that replied with only one packet.. and I got success.

How should this be run on the server side:

ping -c 1 8.8.8.8
Output of the manipulated ping command.

After realizing that I had a OS command injection vulnerability on my hands I tried to bypass ping command and execute commands directly.

On the linux operating system, in particular, it is possible to concatenate the execution of commands using semicolon.

Example: ping -c 1 8.8.8.8; whoami

So I bypass with the following command:

ping ;whoami;id; cat /proc/version
Output of the manipulated ping command.

In the source code of the page (/application/ping_diagnosis.asp) I found these functions in javascript that refer to the ping function.

Input validations (or no?)

Apparently there are some validations in the IP address field (ping_ip), but only one of the rules is specific to prevent entries with the pipe “|” character.

For the challenge, I tried to bypass this validation with url encode and it was also possible to run commands.

Character pipe with URL encoded
Bypass with character pipe url encoded

This vulnerability is only possible because of non-validation of user input.

Function that receive ping_ip.value without validation.

Reference: https://portswigger.net/web-security/os-command-injection

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42912
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-42912

*The vendor was contacted on 10/2021 via e-mail, but so far there have been no responses.

--

--

Windsor Moreira

Pentester | Ethical Hacker | Cybersecurity Consultant | Security Researcher | CTF Player