Skip to main content
Websec Logo
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

CVSS Score

8.0 / 10.0

Severity

High

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Advisory

DeviceAlcatel-Lucent I-240W-Q
Hardware0068-5C-01
Software3FE53862BOCA53
ImpactAuthenticated arbitrary command execution as root

Description

The administrative web interface exposes Maintenance → Diagnostics, which runs ping and traceroute against an IP address supplied by the administrator. The IP Address field is not filtered for shell metacharacters, so appending a ; followed by another command executes that command on the device.

The injected commands run with root privileges, granting full control of the device to any administrator — which, for devices deployed with the default web-admin credentials, is effectively anyone who can reach the interface.

Exploit / Proof of Concept

IP Address field:  127.0.0.1; id; cat /etc/passwd

Remediation

No vendor fix. Restrict admin access to trusted hosts and change default credentials.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
View All Advisories