Router Vulns: Impacts & Recommendations Part 1 – PoC

March 27, 2017 | Views: 5016

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

PART 1. HG8245H Huawei Router “Privilege Escalation”:

Scenario: 

You have signed up for an internet connection and your ISP has provided you with a fancy router, SSID name, and password to be able to access the internet connection. For this PoC, we focus on the HG8245H router.

I. First things first, the router credentials are already on the router as below:

1

Apparently, the root account in this range of routers is not an administrator account; rather a normal user account and options available for configuration are limited.

II. Another set of default credentials which should work is telecomadmin/admintelecom. For my router, this set didn’t work. These are the actual “super administrator” credentials which allow users to have access to other options, notably backup configuration settings, edit and load router config file etc. An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work.

III. So, using the assumption above, disconnect the connection from ISP (in my case fiber connection) and connect to switch locally. How?

  • Enter web interface (http://192.168.100.1) using root/admin credentials
  • Reboot the router.
  • Disconnect fiber cable as it restarts
  • As it restarts, try to log in on http://192.168.100.1 as telecomadmin/admintelecom

IV. Voila! You are in, as superadmin, with more options to tweak router

2

3

 

V. So, to elevate your normal user root to superadmin status. Download router config file from System Tools > Configuration File. This  file named “hw_ctree.xml” is encoded and appears as in next page:

4

Fortunately, there is a tool to decrypt this XML file >> https://www.aescrypt.com/download/.

Proceed to decrypt the file:

5

And here we have our config file in plain text!

For this exercise, our area of concern would be the part highlighted below:

6

Notice the different user levels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is a super administrator. Edit the root user line to userlevel 0. Save the file and decrypt it.

VI. Log into our web interface, upload the new config file and restart the router.

VII. Once restarted, log in as root/admin, and enjoy the new options available  <insert smiley face/>

 

Let’s take a break now and recap…

Straight off the bat, observations we can make:

  • Use of default router credentials (root/admin, telecomadmin/admintelecom) – over and above the immediate threat of unauthorized router access, routers with default credentials have been used in massive DDoS attacks.

Note: most users don’t change the default credentials. The telecomadmin/admintelecom is hard coded onto the Huawei router.

Reference: https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-attack.html

Recommendations:

A comprehensive checklist on router security is as http://routersecurity.org/checklist.php.

In part 2:

  • We shall see the impact to ISP of end users/ customers having super administrator options on the router and what we can do with the additional rights.
  • What we can “see” as an end user, using the public IP that we now have from the ISP
  • Other config settings we can play around with in the router

After numerous email communications with the vendor, final comments: “We will not track this issue as a vulnerability. If you still have some different options, please never hesitate to contact us.

Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again.”

I would; however, like to thank Huawei’s quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
7 Comments
  1. It is important to keep the vulnerabilities in our mind while using the router. Just visit http://reviewxprt.com/ and check the best available routers in your budget.

  2. Great article! So the only why to exploit this vulnerability is to have direct access to the router? I mean don’t you have to be connected to the routers network to login to it?

  3. I don’t have Huawei’s router, but still the article helped me to understand better of the home routers’ vulns. My router’s config file is a .bin one though.

    Good job. Looking forward for the next part :).

  4. Is the aescrypt2_huawei.exe file available on the aescrypt site? I could not find it.

  5. Gratz! Good Article too! +10

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel