Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Huawei HG532 Command Execution Vulnerability CVE-2017-17215 Analysis

January 26, 2018 by Wei Gao

Wild Sample

According to a Check Point report, there is a vulnerability (CVE-2017-17215) in the Huawei home router HG532. We caught this attack in the wild and found it dating back to mid-December. It's been exploited by a Mirai variant known as Satori (aka Okiru), which has reportedly incorporated web exploits with the traditional telnet brute forcing techniques seen in prior IoT attacks. Below is a raw sample of what we've lifted from our honeypots. The vendor has released this advisory regarding the vulnerability.

1

Looking at patterns matching this exploit, we find drive-by attempts dating back to December. Not only do we use this to feed our threat intelligence platform on ThreatARMOR, but we also check our own work when looking for exploits.

2

Environment Setup

Before we can test and verify the vulnerability we need either a vulnerable Huawei router, or we can try to run the firmware in a virtual environment. I went with option 2. Below are the instructions for setting up and installing QEMU to run the Huawei software.

1. Download the vulnerable Huawei HG532 firmware [1]

2. Install QEMU:
1.1

3. Install network configuration and bridge tools:
3

4. Change host network configuration to support a network bridge, modify /etc/network/interfaces:
4

5. Create QEMU TAP interface script /etc/qemu-ifup:
5

6. Assign execution permission to /etc/qemu-ifup:
6

7. Restart networking:
7

8. Extract firmware using binwalk:
8

9. Check CPU instruction architecture, in _HG532eV100R001C01B020_upgrade_packet.bin.extracted/squashfs-root/bin
9

10. It is a 32-bit, big-endian MIPS architecture. Download this big-endian MIPS Debian QEMU image[2]. Make sure you download both mlinux-2.6.32-5-4kc-malta and debian_squeeze_mips_standard.qcow2.
10

11. Start the QEMU image:
11

12. Once the image is started, input your credentials as root/root:
12

13. Modify /etc/network/interfaces:
13

14. Reboot the network service and confirm your IP has gotten an address:
14

15. Copy the extracted squashfs-root to the SQMU:
15

Now the vulnerable test environment is ready. We have an emulated MIPS environment ready to run any binary from the Huawei firmware locally.

Vulnerability Discussion

Based on Check Point’s report [3], the vulnerability exists in the Universal Plug and Play (UPnP) protocol. UPnP [4] is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters “$()” in the NewStatusURL and NewDownloadURL [3]. We need to locate these vulnerable functions and then attempt reproduction of the vulnerability.

1. Load squashfs-root/bin/upnp file into IDA Pro and search strings NewStatusURL:
16

2. Use Xref to locate the cross-referenced functions:
17

3. Locate the vulnerability. Looks like it is a standard RCE exploit.
18

The binary will process the SOAP XML request, and it will get the value of NewDownloadURL and NewStatusURL, then it will call snprintf function:
19

a0 is the source string address and it is system function’s first argument. When this string is called, we will be able to perform a command injection:
20

Vulnerability Reproduction

Let's now start running this vulnerable code in our emulated MIPS machine. We'll need to first change the root directory, then find the vulnerable software to run. Once this happens, we should be able to exploit it remotely and confirm that our strike is working correctly.

1. Chroot to the root filesystem of the Huawei router that copied over earlier:
21

2. Then run the "mic" application:
22

3. Now TCP port 37215 should be listening:
23

4. Since the target contains a busybox version of the wget command, it can be used to upload the reverse shell to the tmp folder:
24

5. Create a MIPS big endian format reverse shell elf file and setup listener.

6. Run PoC code
25

7. And get a reverse shell.
26

This strike is deployed in our upcoming ATI release. We have also had protection against this in the ThreatARMOR feed.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

References

[1] https://ia601506.us.archive.org/22/items/RouterHG532e/router%20HG532e.rar

[2] https://people.debian.org/~aurel32/qemu/mips/

[3] https://research.checkpoint.com/good-zero-day-skiddie/

[4] https://en.wikipedia.org/wiki/Universal_Plug_and_Play

[5] http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en