Ghost to reproduce: part of the WiMAX routing device to authenticate the existence of the bypass and back door vulnerability-vulnerability warning-the black bar safety net

The SEC’s security personnel in some of the WiMAX router on found a vulnerability, this vulnerability allows an attacker to change the router administrator password, and then get on the vulnerabilities of the device control. Worse, if an attacker took control of these contains a vulnerability in the router, they can for this vulnerability the device behind the network for further attacks, or the vulnerabilities of the devices to join a botnet, or by these vulnerabilities device listens to the user information. This vulnerability affects equipment manufacturers, including GreenPacket, Huawei, MADA, ZTE, and ZyXEL and the like. Some of which contain a vulnerability in the device through web Access. This vulnerability has been reported to the CERT/CC (vulnerability number CVE-2017-3216), CERT also has this vulnerability notice to the vendor.
More about the vulnerability disclosure and vulnerability of the equipment information, please visit our vulnerability notices page(the https://sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170607-0_Various_WiMAX_CPEs_Authentication_Bypass_v10.txt a).
Part of the WiMAX routing device to authenticate the existence of the bypass and back door vulnerability
The present article will be mainly discussed for the vulnerability analysis in several important points, when our security personnel in the research about the HTTPS certificate and SSH key reuse issue, the unexpected discovery of a group of about 80 sets of equipment to use the one issued to MatrixSSL Sample Server Cert for the HTTPS certificate, which is a group of devices include the ZyXEL company and his sister company, MitraStar the development of the WiMAX gateway, our security personnel to select which one carried out a little research.
WiMAX is a similar LTE technology, although there is no LTE so popular, however, the world still has a lot of WiMAX equipment in use.
Through our to collect large data sets of information, we found that many of the WiMAX device will be the web Access interface exposed to the Internet, this result may be due to the wrong configuration, it could be the ISP’s careless. Through the web Access interface is to tap the vulnerability of the very good entry point.
Like all of IoT（Internet of things）penetration testing, we got a report containing the vulnerabilities of the WiMAX device’s firmware, thanks to the ZyXEL website to provide to us O(∩_∩)O, we directly on this problem firmware upload to our IoT analysis system, a cloud-based firmware, analysis system, after a few minutes, an analytical report will appear in our eyes.
First, we looked at the firmware of the file system structure. In/var/www directory, we found a lot of HTML files, according to our experience, usually those HTML files just to view the template files, learn MVC all know, and generally do not contain business logic.
! [](/Article/UploadPic/2017-6/201761320635158. png? www. myhack58. com)
Excerpt from IoT firmware automatic analysis system of the analysis results part of the
Authentication bypass vulnerability
We did not find traditional CGI scripts, so we infer that the web interface of the business logic may be embedded as the web server itself, when we found the web server of the execution path is:/bin/mini_httpd. elf, we are keen to associate this May, and open source projects mini_httpd-related projects, but then we I found out we have the mini_httpd and open source mini_httpd is completely different, perhaps after a major change, first of all, we have this mini_httpd does not have any web interface business code, but we found that there is a function by the dlopen()library function from the/lib/web_plugin directory load the library file.
! [](/Article/UploadPic/2017-6/201761320636425. png? www. myhack58. com)
So, we go to/lib/web_plugin directory glanced at, found that there is only one named libmtk_httpd_plugin. so dynamic link library files, in mime_handlers symbol at the connection, there is a description for different MIME how to handle the structure array. libmtk_httpd_plugin. so the library contains for http request processing function.
! [](/Article/UploadPic/2017-6/201761320636649. png? www. myhack58. com)
For each received HTTP request, the web server according to the above-mentioned MIME-structure array to find a match, if the match is ok, then from this matching result found in the corresponding request processing function and call it. Analysis here, we mood is very good, we open up IDA pro artifact help us to continue the analysis, according to the above-mentioned MIME-structure array of features, we found mime_handlers symbol in the list of entry items:
! [](/Article/UploadPic/2017-6/201761320637198. png? www. myhack58. com)
So far, we have been very clear that a web server exists in which URIs can be parsed process, it has been how they were parsing process, in the figure of the mime_handlers symbol in the list entry in the structure, we found out there is an enumeration type, the enumeration type identifies whether the current user of the request should be certified or not certified, which we call AUTH_REQUIRED/UNAUTHENTICATED, we also found that many of the URIs does not require any authentication, these URIs are very worth us to carefully analyze, we will target locked in a commit2. cgi.
! [](/Article/UploadPic/2017-6/201761320637199. png? www. myhack58. com)
This URL handler for the POST request parameters and values are present in the built database, key-value storage form, perhaps, is stored in the NVRAM, in fact here is an exploit, the most simple use is by submitting parameters for the ADMIN_PASSWORD=xxxx (xxx for you to modify the administrator password after)the POST request to commit2. the cgi of the URI, so you can modify the administrator password, which can through the web interface successfully login, then you can proceed further attacks
From the web interface, the login is successful, we find that there are many you can use function points for the hacker purpose is different, choose the point of attack are not the same, which has a feature point can modify the DNS server configuration smart you might have thought here may be a phishing attack, by hijacking the DNS, online banking fraud, or ads, and one can upload the firmware, so an attacker can upload a containing malicious code in the firmware for monitoring the user behavior, or act as a dead network.
With the analysis of in-depth, we found that this contain exposed WiMAX router to allow SSH and Telnet logins, the two services caught our interest.
OEM back door
SSH and Telnet Telnet functions through the web interface to configure enable, Enable after, the attacker can use the web interface login account and password to login SSH and Telnet, the login is successful, or get a similar Cisco router command-line interface, then you can perform a variety of commands, and even some commands may also be implemented similar to the Linux shell of the function.

[1] [2] next