Arcadyan Livebox Fibra GPON Link Manipulation Vulnerability

A vulnerability exists in the Arcadyan Livebox Fibra PRV3399B_B_LT router, allowing remote or local attackers to unauthenticated modify the GPON link value via the /firstconnection.cgi endpoint. This manipulation disrupts internet service by causing a denial-of-service condition. The vulnerability can be exploited by accessing the /cgi/cgi_authpage.js endpoint to extract the GPON password, which is then used to craft a request that alters the GPON link, disconnecting the router from the internet.

Impact

Exploitation of this vulnerability leads to unauthorized GPON password extraction and disruption of the router's internet connection, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, first access the /cgi/cgi_authpage.js endpoint to retrieve the GPON password, which is provided in the slid_value parameter in hexadecimal format. Once the GPON password is obtained, it can be modified by sending a POST request to the /firstconnection.cgi endpoint with the desired GPON value, encoded in hexadecimal and then in base64. The Content-Type header must be set to text/plain;charset=UTF-8.

Remediation

It is recommended to implement authentication checks for the /cgi/cgi_authpage.js and /firstconnection.cgi endpoints, restricting access to authorized users or those within the local network.