Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Remote arbitrary file read on Huawei CPEs

  • Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
  • Release date: 06/11/2015
  • Identifier: CVE-2015-7254

Multiple Huawei CPE models are vulnerable to a directory traversal issue affecting an Internet-facing web port (tcp/37215, on the tested devices). This port is devoted to the UPnP service.

By leveraging this vulnerability, remote attackers can access arbitrary local files, with no authentication. Thus, it is quite easy to exploit this issue to gain arbitrary control over the affected devices.

In detail, the web server is designed to allow unauthenticated access to files under the /icon/ remote path. However, the provided path is not checked for directory traversal attempts, so attackers are free to leverage ../ specifiers to access any local file.

As an example, the local /etc/inittab file can be accessed through the following URL:

http://<target IP>:37215/icon/../../../etc/inittab

Where <target IP> is the IP address of a vulnerable device.

As a side note, consider that this URL should not be accessed using curl, wget or similar command-line utilities, as these tools simplify the requested resource path before sending it to the remote server (e.g., instead of /icon/../../../etc/inittab they issue an HTTP request for /etc/inittab).

Additionally, vulnerable devices can be also detected by accessing the /tr064dev.xml resource, which returns an XML document containing the device model.

We confirm the following Huawei device models are affected:

  • HG532e
  • HG532n
  • HG532s Other device models are probably vulnerable as well, but they were not tested