Remote arbitrary file read on Huawei CPEs
- Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
- Release date: 06/11/2015
- Identifier: CVE-2015-7254
Multiple Huawei CPE models are vulnerable to a directory traversal issue affecting an Internet-facing web port (tcp/37215, on the tested devices). This port is devoted to the UPnP service.
By leveraging this vulnerability, remote attackers can access arbitrary local files, with no authentication. Thus, it is quite easy to exploit this issue to gain arbitrary control over the affected devices.
In detail, the web server is designed to allow unauthenticated access to files
/icon/ remote path. However, the provided path is not checked for
directory traversal attempts, so attackers are free to leverage
specifiers to access any local file.
As an example, the local
/etc/inittab file can be accessed through the
<target IP> is the IP address of a vulnerable device.
As a side note, consider that this URL should not be accessed using
wget or similar command-line utilities, as these tools simplify the requested
resource path before sending it to the remote server (e.g., instead of
/icon/../../../etc/inittab they issue an HTTP request for
Additionally, vulnerable devices can be also detected by accessing the
/tr064dev.xml resource, which returns an XML document containing the device
We confirm the following Huawei device models are affected:
- HG532s Other device models are probably vulnerable as well, but they were not tested