CVE-2018-19524
📋 TL;DR
This is a critical stack overflow vulnerability in Skyworth GPON home gateway devices that allows remote attackers to cause denial of service or achieve unauthenticated remote code execution by sending a long password to the Web_passwd function. The vulnerability affects specific Skyworth DT741, DT721-cb, and DT741-cb converged terminal devices. Attackers can control multiple registers (S0-S4, T4-T7) to potentially execute arbitrary code.
💻 Affected Systems
- Shenzhen Skyworth DT741 Converged Intelligent Terminal
- Skyworth DT721-cb
- Skyworth DT741-cb
📦 What is this software?
Dt721 Cb Firmware by Skyworthdigital
Dt740 Firmware by Skyworthdigital
Dt741 Cb Firmware by Skyworthdigital
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attackers gain full control of the device, enabling them to intercept/modify network traffic, pivot to internal networks, or create persistent backdoors.
Likely Case
Denial of service causing device crashes and network disruption, with potential for remote code execution by skilled attackers.
If Mitigated
Limited to denial of service if exploit attempts are blocked at network perimeter, though RCE remains possible if devices are exposed.
🎯 Exploit Status
Public exploit details and proof-of-concept code are available in security advisories. The vulnerability requires crafting specific long password inputs to trigger the stack overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE
Vendor Advisory: No official vendor advisory found in references
Restart Required: Yes
Instructions:
1. Check with Skyworth for firmware updates. 2. If update available, download from vendor portal. 3. Backup configuration. 4. Apply firmware update via web interface. 5. Reboot device. 6. Verify fix.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to device web interfaces using firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Change Default Credentials
allEnsure strong, unique passwords are set to reduce attack surface
🧯 If You Can't Patch
- Isolate affected devices in separate network segments with strict firewall rules
- Implement network-based intrusion prevention systems (IPS) to detect and block exploit attempts
🔍 How to Verify
Check if Vulnerable:
Check device model and firmware version via web interface (typically http://device-ip/status.html or similar). Look for DT741, DT721-cb, or DT741-cb with SDOTBGN1 in version string.Check Version:
curl -s http://device-ip/status.html | grep -i 'firmware\|version\|model'Verify Fix Applied:
Verify firmware version has been updated to a version not listed as vulnerable. Test with controlled exploit attempt in lab environment.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with unusually long passwords
- Device crash/restart logs
- Segmentation fault errors in system logs
Network Indicators:
- HTTP POST requests to authentication endpoints with >1000 character password fields
- Unusual traffic patterns to/from GPON devices
SIEM Query:
source="firewall" AND (dst_port=80 OR dst_port=443) AND url="*passwd*" AND content_length>1000🔗 References
- http://packetstormsecurity.com/files/151608/Skyworth-GPON-HomeGateways-Optical-Network-Stack-Overflow.html
- http://seclists.org/fulldisclosure/2019/Feb/30
- https://s3curityb3ast.github.io/KSA-Dev-001.md
- https://seclists.org/bugtraq/2019/Feb/21
- https://www.breakthesec.com/2019/02/cve-2018-19524-stack-overflow-in.html
- https://www.exploit-db.com/exploits/46358/
- http://packetstormsecurity.com/files/151608/Skyworth-GPON-HomeGateways-Optical-Network-Stack-Overflow.html
- http://seclists.org/fulldisclosure/2019/Feb/30
- https://s3curityb3ast.github.io/KSA-Dev-001.md
- https://seclists.org/bugtraq/2019/Feb/21
- https://www.breakthesec.com/2019/02/cve-2018-19524-stack-overflow-in.html
- https://www.exploit-db.com/exploits/46358/
