Security Vulnerability Found in GCOM EPON 1GE Router

Hello friends! In this blog, I’m going to talk about a `CVE` I discovered on a widely used router. The device is made by GCOM Technologies, and before diving into the details, here’s a quick overview of the company. >GCOM Technologies Co., Ltd. is a Shenzhen-based telecommunications equipment manufacturer that specializes in broadband access and data communication solutions. The company designs and produces EPON and GPON optical network units (ONUs) and terminals (OLTs), Ethernet switches, and related network devices used by internet service providers for fiber-to-the-home (FTTH) connectivity. The vulnerability I discovered affects EPON optical network units (ONUs). Let’s dive right into the details. Opening up your browser and going to `http://192.168.1.1`, you’re given the following login page ![image](https://hackmd.io/_uploads/r1o98rCJZl.png) Let's now use the default credentials to log in, which are `admin/admin`. ![image](https://hackmd.io/_uploads/B1DoIrCkWe.png) After logging in, we are presented with the following page: ![image](https://hackmd.io/_uploads/Hkun8r0JWg.png) From the device status, we can get the device name, firmware version, and other information. The first thing I did was head over to the admin section and click on the "Backup/Restore" section. ![image](https://hackmd.io/_uploads/H1h68HCJbg.png) Before clicking the **Backup** button, let's open it up using Burp. ![image](https://hackmd.io/_uploads/HkedRIrR1Zx.png) You can see we’re making a request to `/boaform/formSaveConfig`. Let’s send a request and see what happens. ![image](https://hackmd.io/_uploads/BkS1DrAJWx.png) As you can see from the screenshot above, we get the entire device configuration in `XML` format. The admin credentials are displayed in plaintext, which will come in handy later on 🙂. ![image](https://hackmd.io/_uploads/SyggvH0kbl.png) We also have another `user` credential with lower privileges. Let's now use that credential to log in and see what we can and can't do. ![image](https://hackmd.io/_uploads/SkwWvH0ybl.png) We use `user/user` to log in. ![image](https://hackmd.io/_uploads/r1eMDSRJZe.png) Now we’re presented with a page similar to before, but some of the site’s content is not available for the `user` account. Let's go ahead and check the **Admin** content section to see which features are available for the `user` account. ![image](https://hackmd.io/_uploads/r1azwH01-g.png) As expected, we don’t have a way to back up the device configuration. But to be sure, let’s go back to Burp and send the request. ![image](https://hackmd.io/_uploads/BJTQwHC1Zg.png) As expected, we get a `403 Forbidden`. Let’s understand why. I had been looking for the device firmware online for a while, and with no luck, I had to dump the firmware using a `CH341A` programmer. ![Pasted image](https://hackmd.io/_uploads/ryKQdSC1Wl.jpg) After connecting the `CH341A` programmer to the SPI flash memory chip, let's dump its content. ![image](https://hackmd.io/_uploads/BJPHPSC1Zx.png) Using the `flashrom` command, we’ve read the content of the flash memory chip onto our machine. I’m not going to bore you with the details of how I read the dumped content let’s get right to the juicy part. The device uses a lightweight, open-source HTTP server called `Boa`. Let’s read the configuration and see what we get. ![image](https://hackmd.io/_uploads/r1KwvHCyWl.png) In lines **168** and **169** we can see the following: ```conf ScriptAlias /boaform/ /web ScriptAlias /boaform/admin /web/admin ``` The `ScriptAlias` maps a URL path to a directory on the device. For example, `/boaform/` is mapped to `/web`, and `/boaform/admin` is mapped to the `/web/admin` directory. Let's check the directory. ![image](https://hackmd.io/_uploads/S1j9dBRk-g.png) In the root `httpd` directory, there is the `boa.conf` file and the `web` directory. Let’s check the contents of the `web` directory. ![image](https://hackmd.io/_uploads/Bkc_vB0JZg.png) As you can see, there are many pages that a `user` account can access. Based on the `boa.conf`, we can also see a separate directory called `admin`, which is used by accounts with **admin** privileges. Let’s check what content it contains. ![image](https://hackmd.io/_uploads/BkPqPH0yWx.png) In the `admin` directory, there are symbolic links that refer to files located in `/web`. ![image](https://hackmd.io/_uploads/B1WjwHRyZl.png) In this example, the `saveconf.asp` file is linked to `../web/saveconf.asp`, which is interesting because my immediate thought was: if the file refers to a directory that a `user` can access, does that mean all the `admin` functionality also works for the `user` account? Let’s confirm using Burp. After logging in as `user`, we saw that sending a request to `/boaform/formSaveConfig` returned a `403`. Let’s now modify the path to `/boaform/admin/formSaveConfig` and send the request again. ![image](https://hackmd.io/_uploads/ByTiDBAybg.png) Boom! We can dump the device's configuration as `user`, which is significant because, since the device does not encrypt its configuration, we can retrieve the `admin` credentials and log in as admin. What's more, because there is no proper access control, we can use the `admin` functionality as a normal low-privilege user. In conclusion, the router exhibits critical security weaknesses related to [CWE-284 (Improper Access Control)](https://cwe.mitre.org/data/definitions/284.html) and [CWE-269 (Improper Privilege Management)](https://cwe.mitre.org/data/definitions/269.html). These vulnerabilities allow unauthorized users to bypass restrictions and escalate their privileges, potentially gaining full control over the device. This vulnerability affects the **GCOM** `EPON 1GE`, version **C00R371V00B01**.