CVE-2024-57725 PoC — Arcadyan Livebox Fibra PRV3399B_B_LT 安全漏洞

Source

https://github.com/pointedsec/CVE-2024-57725

Associated Vulnerability

Title:Arcadyan Livebox Fibra PRV3399B_B_LT 安全漏洞 (CVE-2024-57725)
Description:Arcadyan Livebox Fibra PRV3399B_B_LT是中国智易科技（Arcadyan）公司的一款适用于光纤宽带用户的高性能路由器。 Arcadyan Livebox Fibra PRV3399B_B_LT存在安全漏洞，该漏洞源于允许远程或本地攻击者在未经身份验证的情况下修改GPON链接值，从而导致互联网服务中断。

Description

This repository documents an unauthenticated GPON manipulation vulnerability discovered in certain Arcadyan routers.

Readme

# CVE-2024-57725: GPON Link Manipulation Vulnerability in certain Arcadyan Routers (Distributed by Orange and Jazztel)

This repository documents an unauthenticated vulnerability discovered in LiveboxFibra Arcadyan routers distributed by Orange and Jazztel in Spain (PRV3399B_B_LT). The issue lies in the ability to extract and modify the GPON link value via the `/cgi/cgi_authpage.js` and `/firstconnection.htm` endpoints without authentication.

## Vulnerability Details

### Affected Endpoints
1. **`/cgi/cgi_authpage.js`**
   - Reveals the `slid_value` parameter, which contains the GPON link value in hexadecimal format. This can be accessed **without authentication**, leading to an information disclosure.

2. **`/firstconnection.htm`**
   - Allows **unauthenticated modification of the GPON link value**. Attackers can:
     - Send a crafted POST request to change the GPON link, causing a denial of service (DoS) by disrupting the router's internet connectivity.

### Impact
- **Information Disclosure**: Extraction of the GPON password without authentication.
- **Denial of Service**: Unauthorized changes to the GPON value can disconnect the router from the internet.
- **Exploitation Vector**: Attackers must have local network access or exploit conditions where the router's authentication panel is exposed to the internet or accessible via a VPN tunnel.

## Exploitation Steps

### Extracting the GPON Password
1. Access the endpoint:
   ```
   https://<router-ip>/cgi/cgi_authpage.js
   ```
2. Locate the `slid_value` parameter in the JSON response to obtain the GPON password in hexadecimal format.

### Modifying the GPON Password
1. Send a POST request to `/firstconnection.htm` with the following payload:
   ```
   GO=firstconnection.htm&pws=<BASE64_HEX_GPON_PWD>&GO=firstconnection.htm
   ```
   Replace `<BASE64_HEX_GPON_PWD>` with the desired GPON value, encoded in hexadecimal and then in base64.
2. Set the `Content-Type` header to `text/plain;charset=UTF-8`.

### Example PoC Script
Refer to the [change ONT value PoC Script](change_ont_value.py) or [check ONT value PoC Script](check_ont_value.py) for automating these steps.

## Recommended Fixes
- Implement authentication checks for the `/cgi/cgi_authpage.js` and `/firstconnection.htm` endpoints.
- Limit access to these endpoints to authorized users only or check if the user is in LAN for lower risk.

## Disclaimer
This repository is intended for educational and research purposes only. Do not use this information to exploit devices without authorization. Always act responsibly and ethically.

---

For more information or to report additional findings, please contact the repository owner or send email to pointedpentesting@gmail.com

File Snapshot


 [4.0K]  /data/pocs/50a5cc887b9dd2c5f5334a57bbdda14698b7b605
├── [2.1K]  change_ont_value.py
├── [2.4K]  check_ont_value.py
└── [2.7K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!