POC VIDEO - https://youtu.be/hNzmkJj-ImM?si=NF0yoSL578rNy7wN# CVE-2024-30973 - V-SOL (G/EPON ONU - HG323AC-B)
# Description Item:
```
Item: G/EPON ONU
Specification: HG323AC-B
Device model XPON+2GE+1POTS+2WIFI+USB
Device SN 70B64F-1234570B64F0C2C0C
Hardware Version V1.0
Firmware Version V2.0.08-210715
PON S/N GPON000C2C0C
```
## Vulnerability Type:
Incorrect Access Control
## Description Vulnerability:
To exploit the vulnerability, it is necessary to be authenticated with a low-privileged user, as it will be possible to execute administrator functions (Disable firewall and enable SSH or Telnet,etc).
After obtaining credentials, it will be necessary to retrieve the token mask of your current user by accessing the directory `http://IP/boaform/getASPdata/FMask.`
With the valid token, you can assemble a POST request to disable the firewall with the token of your user that does not have this permission. The directory to disable the firewall is `/boaform/getASPdata/formFirewall` with the parameters `FirewallLevel=0&DosEnable=0&csrfMask=USER ID`.
As a result, the application will respond with a SUCCESS.
With the firewall disabled, you can enable SSH through another POST request in the directory `/boaform/getASPdata/formAcc` - with the parameter `l_ssh SSH` equals to 1
This way, you can disable the firewall, enable SSH, and log in with your user through SSH.
The application does not handle user correctly.
## Impact Vulnerability:
The Vulnerability allows a non priviliged user disable all of the firewall rules, open any avalible service (SSH, TELNET, FTP) and connect to it, causing RCE through SSH. Only do it against infrastructure for which you have recieved permission to test.
### POC VIDEO - https://youtu.be/hNzmkJj-ImM?si=HXTD3X0lMlA88AzH
### See Also:
- [V-SOL G/EPON HG323AC-B](https://www.vsolcn.com/product/2ge-1pots-wifi5-1usb-mesh-onu-hg323acb)
[4.0K] /data/pocs/a1176a12d6d99cdee92d99c1fd5b23dfbc4b7c2b
└── [1.8K] README.md
0 directories, 1 file