================================================================================
xerod security advisory  XEROD-2026-0001
================================================================================

Title       : Authenticated OS command injection in GR140DG ping diagnostic
              handler (root context)
Canonical ID: XEROD-2026-0001
CVE ID      : CVE-2026-31195
CWE         : CWE-78  Improper Neutralization of Special Elements used in
              an OS Command
CVSS v3.1   : 8.8  HIGH
              CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Status      : Fixed
Vendor      : ALTICE LABS / SFR France
Product     : GR140DG fibre router (CPE)
Versions    : 3GN8020801R13, 3GN8020802R0A, 3GN8020803R0A
Fixed in    : 3GN8020803R0B
Discovery   : 2026-01-08
Notified    : 2026-01-15
Disclosed   : 2026-05-04
Researcher  : xerod research  <info@xerod.io>
Revision    : 1.0  (2026-05-04)


SUMMARY
--------------------------------------------------------------------------------
The ping diagnostic feature exposed by /bin/httpd_clientside on the
ALTICE LABS / SFR France GR140DG fibre router passes user-controlled input
into a shell command executed via system(). Input validation is character-
based and not context-aware for shell execution, so command-substitution
constructs are evaluated by the shell. The WebUI runs as root, so successful
exploitation yields authenticated root-level remote command execution on the
device.


AFFECTED COMPONENT
--------------------------------------------------------------------------------
Binary       : /bin/httpd_clientside
Endpoint     : /ping.cmd
Auth         : Required (WebUI session + CSRF token)
Privilege    : root


IMPACT
--------------------------------------------------------------------------------
An authenticated WebUI user can execute arbitrary shell commands as root on
the router. Because the GR140DG is the default fibre CPE issued to a large
population of SFR Fibre customers in France, the aggregate exposure is
significant.

  - Confidentiality: critical -- read access to all on-device files,
    including credentials and configuration.
  - Integrity: critical -- arbitrary modification of router state, firmware
    persistence opportunities, and downstream-network tampering.
  - Availability: critical -- ability to disrupt service or render the
    device inoperable.
  - Lateral-movement potential from LAN-resident malware or compromised
    WebUI credentials.


TECHNICAL DETAILS
--------------------------------------------------------------------------------
The handler for /ping.cmd constructs a shell command of the form:

    /bin/ping -c <count> -i <interval> -s <size> "<destAddr>" \
        > /tmp/ptin_diag_result 2>&1

and executes it via system(), which invokes /bin/sh and therefore performs
full shell parsing and expansion before the executable is launched.

The destAddr parameter is interpolated directly into the command string.
Validation is performed by URIStringValidation() (imported from
librdk_dal.so), which filters characters rather than enforcing semantics:

  - Rejects: whitespace, control characters, double quotes, backslash, '%'.
  - Permits: shell metacharacters used in command-substitution constructs.

Because shell expansion happens before word splitting, blocking whitespace
alone does not prevent shell evaluation of the substituted output.

A stricter validator, hostnameStringValidation(), is present in the same
codebase and enforces DNS hostname syntax (letters, digits, '-', '.')
without permitting shell metacharacters. The ping handler does not use it.

The WebUI process additionally runs with uid=0, removing any privilege
containment around the shell call. The root cause is therefore a
combination of an unsafe execution primitive (system()), the wrong
validator for the context, and an over-privileged execution environment --
a design flaw rather than a single missing check.


PROOF OF CONCEPT
--------------------------------------------------------------------------------
Status   : Withheld.
Detail   : A working Python PoC reliably triggers the issue against the
           firmware versions listed above and is held privately. It will
           be released no earlier than 30 days after a vendor fix is
           generally available, or sooner if exploitation is observed in
           the wild.
Request  : PGP-signed email to info@xerod.io.


REMEDIATION AND MITIGATION
--------------------------------------------------------------------------------
1. Apply firmware 3GN8020803R0B or later.
   - The vendor has shipped a fix in this release.
   - Operators should confirm their CPE has been updated; SFR-managed
     devices typically receive the update over the operator-controlled
     provisioning channel.

2. Configuration workaround (for devices not yet updated).
   - Restrict WebUI access to the LAN.
   - Rotate WebUI credentials.
   - Disable remote management. Does not remediate the underlying flaw.

3. Compensating control.
   - Network segmentation between the router management interface and
     untrusted LAN devices.
   - Monitoring for anomalous outbound traffic from the CPE.


DISCLOSURE TIMELINE  (UTC)
--------------------------------------------------------------------------------
2026-01-08  Vulnerability discovered by xerod research.
2026-01-15  Vendor (ALTICE LABS / SFR France) notified with technical
            details and PoC.
2026-04-02  CVE-2026-31195 reserved by xerod via CNA.
TBC         Vendor releases firmware 3GN8020803R0B containing the fix
            (date pending vendor confirmation).
2026-05-04  Public disclosure of advisory XEROD-2026-0001.


REFERENCES
--------------------------------------------------------------------------------
- https://www.cve.org/CVERecord?id=CVE-2026-31195
- https://nvd.nist.gov/vuln/detail/CVE-2026-31195
- https://cwe.mitre.org/data/definitions/78.html
- https://capec.mitre.org/data/definitions/88.html
- https://xerod.io/advisories/XEROD-2026-0001.html
- https://xerod.io/advisories/XEROD-2026-0002.html  (companion traceroute
  advisory, same root cause)


REVISION HISTORY
--------------------------------------------------------------------------------
1.0  2026-05-04  Initial publication. Vendor fix is available in firmware
                 3GN8020803R0B.


VERIFICATION
--------------------------------------------------------------------------------
This canonical .txt rendering is the signed artifact. To verify:

    gpg --verify XEROD-2026-0001.txt.asc XEROD-2026-0001.txt

The xerod signing key fingerprint is:

    5C0F 3F54 8DF9 F023 A75E  A6FB 7E6C 1114 E7EC A6F5

The full public key block is published at https://xerod.io/#pgp.

================================================================================
End of XEROD-2026-0001
================================================================================