CVE-2018-10562 in GPON Home Router
Summary
by MITRE
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2025
This vulnerability exists in Dasan GPON home routers where a command injection flaw allows remote attackers to execute arbitrary commands on the affected device. The vulnerability specifically manifests through the dest_host parameter within diag_action=ping requests directed to the GponForm/diag_Form URI endpoint. The flaw stems from insufficient input validation and sanitization of user-supplied parameters, creating an environment where maliciously crafted input can be interpreted as executable commands by the underlying operating system. This represents a classic command injection vulnerability that falls under CWE-77 which categorizes improper neutralization of special elements used in commands.
The attack vector is particularly concerning because it leverages the router's legitimate diagnostic functionality to execute malicious payloads. When users initiate a ping operation through the web interface, the router processes the dest_host parameter without adequate sanitization, allowing attackers to inject command sequences that get executed in the context of the router's privileged processes. The vulnerability is exacerbated by the router's design pattern where ping results are stored in the /tmp directory and subsequently served back to users when they access the /diag.html page, creating a direct execution and output retrieval mechanism.
The operational impact of this vulnerability is severe as it provides attackers with full command execution capabilities on the affected router. This means adversaries can gain complete control over the device, potentially leading to unauthorized network access, data exfiltration, or the ability to use the compromised router as a pivot point for further attacks within the local network. The vulnerability affects the router's core security model by bypassing authentication mechanisms and providing direct access to the underlying operating system shell. This represents a critical weakness in the device's security architecture that could enable persistent access and compromise of the entire network infrastructure.
Mitigation strategies should focus on implementing proper input validation and sanitization for all user-supplied parameters, particularly those used in system command execution contexts. The router firmware should be updated to properly escape or filter special characters that could be interpreted as command delimiters or operators. Network segmentation and firewall rules should be implemented to restrict access to administrative interfaces, while monitoring systems should be deployed to detect anomalous ping request patterns. Additionally, the implementation of principle of least privilege should ensure that command execution occurs with minimal required privileges, reducing the potential impact of successful exploitation. This vulnerability aligns with ATT&CK technique T1059 which covers command and scripting interpreter, specifically targeting the execution of commands through web interfaces. The vulnerability also demonstrates the importance of input validation practices as outlined in OWASP Top Ten and the need for secure coding practices that prevent injection vulnerabilities in network devices.