DASAN GPON home routers exploits in-the-wild

Published: 2018-05-20. Last Updated: 2018-05-20 22:43:07 UTC
by Didier Stevens (Version: 1)
5 comment(s)

Beginning of May, 2 vulnerabilities with exploits were released for DASAN GPON home routers: CVE-2018-10561 and CVE-2018-10562. The first vulnerability allows unauthenticated access to the Internet facing web interface of the router, the second vulnerability allows command injection.

Soon after the disclosure, we started to observe exploit attempts on our servers:

Exploits attempt are easy to recognize: the URL contains string /GponForm/diag_FORM?images/.

We observed scans targeting just GPON devices, and scans combining GPON and Drupal exploits.

Please post a comment if you've observed these exploit attempts too.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: exploit gpon router
5 comment(s)

Comments

In our previous blog, we have covered part of this issue.

This one is so called muhstik botnet, which we exposed in our earlier blog.

GPON Exploit in the Wild (I) - Muhstik Botnet Among Others
https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/


In fact, we have published a series of three articles on GPON, covering muhstik, satori, mettle, hajime, mirai, omni and imgay:
https://blog.netlab.360.com/tag/gpon/
I've seen evidence of this in logs on my DigitalOcean droplets, so they're not even trying to be quiet about it.
I have never deployed the mentioned routers, however I did run across an article pointing to issues like this on the ones you mentioned. Below is a snippet of text from the article mentioned. I would check it out if I were you as it looks like there was a patch sent out to fix this issue.

URL: https://thehackernews.com/2018/05/protect-router-hacking.html

"Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer.
Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions.
If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar "
The IP 165.227.78.159, in the original figure, is the Report server of Muhstik botnet.

A Muhstik's report server will be contacted by Muhstik botnet's payloads once successfully exploited.
https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/


This 165.227.78.159 is an institute of 51.254.219.134. The old one is take own by a joint action with security community.
https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/



It seems like my last reply is treated as anonymous.
[quote=comment#41397]In our previous blog, we have covered part of this issue.

This one is so called muhstik botnet, which we exposed in our earlier blog.

GPON Exploit in the Wild (I) - Muhstik Botnet Among Others
https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/


In fact, we have published a series of three articles on GPON, covering muhstik, satori, mettle, hajime, mirai, omni and imgay:
https://blog.netlab.360.com/tag/gpon/[/quote]
[quote=comment#41411]It seems like my last reply is treated as anonymous.
[/quote]

That's because you did not choose a nick.

Diary Archives