cbcvebase.
CVE-2019-3921
published 2019-03-05

CVE-2019-3921: The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.89%
96.8th percentile
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, authenticated attacker to /GponForm/usb_Form?script/. An attacker can leverage this vulnerability to potentially execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
nokiai-240w-q_gpon_ont_firmware
tenablealcatel_lucent_i-240w-q_gpon_ont

Detection & IOCsextracted from sources · hover to see the quote

url/GponForm/usb_Form?script/
url/GponForm/device_Form?script/
port69/UDP
version3FE54567BOZJ19
process/bin/tftpd
bytes
\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58
bytes
\xc0\x46
bytes
\xe1\x8c\x03
  • The exploit requires a two-step HTTP POST sequence: first to /GponForm/device_Form?script/ (stack adjustment with XWebPageName=device&admin_action=usb_enable&usbenable=1), then to /GponForm/usb_Form?script/ (actual overflow). Correlate both requests from the same source IP.
  • After successful exploitation, monitor for tftpd spawning on UDP port 69 of the target device, as the shellcode launches /bin/tftpd.
  • The exploit payload in `clientusername` contains the ARM Thumb NOP sled (\xc0\x46 repeated 197 times) followed by the shellcode bytes. Signature-match the byte sequence \x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf in HTTP POST body.
  • The exploit may be chained with CVE-2018-10561 (authentication bypass) to achieve unauthenticated RCE. Correlate CVE-2018-10561 bypass attempts followed by POST to /GponForm/usb_Form?script/.
  • ·The exploit must be executed after a device reboot to be effective; the attacker can trigger a reboot via a DoS-based BoF crash, via CVE-2018-10561 reboot action, or by sending the exploit payload twice.
  • ·Affected firmware is specifically version 3FE54567BOZJ19 on the Alcatel Lucent I-240W-Q GPON ONT; detections should be scoped to this device/firmware combination.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.