DASAN GPON ONU H660WM Improper Access Control Vulnerability via UPnP

A vulnerability exists in the DASAN GPON ONU H660WM model running the H660WMR210825 operating system, due to improper access control in the default configuration. This flaw allows attackers to access sensitive information and alter device settings through the UPnP protocol on the WAN side, without any authentication. The vulnerability is particularly concerning as it can be exploited on devices with default settings, without requiring special conditions or privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information and unauthorized modifications of the device's configuration. Additionally, the vulnerability could be exploited to calculate default administrator passwords, using information obtained through the UPnP access, according to the vulnerability's author.

Reproduction

The vulnerability can be reproduced by sending a request to the UPnP control point of the device, specifically targeting the 'WANCommonInterfaceConfig' service. This can be done using a SOAP action request to the control URL of the service, after retrieving the service description via UPnP discovery. The response can be parsed to extract sensitive information or to identify actions that can be performed, such as modifying the device configuration.