PART 1. HG8245H Huawei Router “Privilege Escalation”:Scenario:
You have signed up for an internet connection and your ISP has provided you with a fancy router, SSID name, and password to be able to access the internet connection. For this PoC, we focus on the HG8245H router.I.
First things first, the router credentials are already on the router as below:
Apparently, the root account in this range of routers is not an administrator account; rather a normal user account and options available for configuration are limited.II.
Another set of default credentials which should work is telecomadmin/admintelecom. For my router, this set didn’t work. These are the actual “super administrator” credentials which allow users to have access to other options, notably backup configuration settings, edit and load router config file etc. An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work.III.
So, using the assumption above, disconnect the connection from ISP (in my case fiber connection) and connect to switch locally. How?
- Enter web interface (https://192.168.100.1) using root/admin credentials
- Reboot the router.
- Disconnect fiber cable as it restarts
- As it restarts, try to log in on http://192.168.100.1 as telecomadmin/admintelecom
Voila! You are in, as superadmin, with more options to tweak router V.
So, to elevate your normal user root to superadmin status. Download router config file from System Tools > Configuration File. This file named “hw_ctree.xml” is encoded and appears as in next page:
Fortunately, there is a tool to decrypt this XML file >> https://www.aescrypt.com/download/.Proceed to decrypt the file:
And here we have our config file in plain text!For this exercise, our area of concern would be the part highlighted below:
Notice the different user levels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is a super administrator. Edit the root user line to userlevel 0. Save the file and decrypt it.VI.
Log into our web interface, upload the new config file and restart the router.VII.
Once restarted, log in as root/admin, and enjoy the new options available <insert smiley face/> Let’s take a break now and recap…Straight off the bat, observations we can make:
- Use of default router credentials (root/admin, telecomadmin/admintelecom) – over and above the immediate threat of unauthorized router access, routers with default credentials have been used in massive DDoS attacks.
Note: most users don’t change the default credentials. The telecomadmin/admintelecom is hard coded onto the Huawei router.Reference: https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-attack.html
Recommendations:A comprehensive checklist on router security is as http://routersecurity.org/checklist.php.
In part 2:
- We shall see the impact to ISP of end users/ customers having super administrator options on the router and what we can do with the additional rights.
- What we can “see” as an end user, using the public IP that we now have from the ISP
- Other config settings we can play around with in the router
After numerous email communications with the vendor, final comments: "We will not track this issue as a vulnerability. If you still have some different options, please never hesitate to contact us.Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again."I would; however, like to thank Huawei's quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.