OptiLink ONT1GEW GPON OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the OptiLink ONT1GEW GPON router, specifically in the web management interface of the firmware version V2.1.11_X101 Build 1127.190306 and earlier. The vulnerability arises because the router fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. This flaw allows an authenticated attacker to inject arbitrary operating system commands, which are executed with root privileges, resulting in remote code execution and full compromise of the device.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected device, with root privileges.

Reproduction

The vulnerability can be reproduced by authenticating to the router's web management interface using the default backdoor credentials of 'e8c' for both the username and password. After successful authentication, the WAN name can be retrieved from the 'diag_ping.asp' page. Once the WAN name is obtained, the vulnerability can be exploited by sending a POST request to the 'formTracert' endpoint with a crafted payload that includes the injected command. The payload can be designed to establish a reverse shell connection to the attacker's machine.

Remediation

Users are advised to upgrade to OptiLink ONT1GEW router firmware version Build 1653.210425 or later.