By CVE-2017-17215 learning router vulnerability analysis, from into the pit to give up-vulnerability warning-the black bar safety net

2018-04-2400:00:00

佚名

www.myhack58.com

212

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.956 High

EPSS

Percentile

99.2%

JSON

Basic information:
2017/11/27, Check Point Software Technologies sector reported a Huawei HG532 product remote commands execution vulnerability(CVE-2017-17215), the Mirai an upgraded version of the variant has been used in the vulnerability. Looks like a very simple vulnerabilities, and the book was to ultimately feel shallow, know this matter to answer, the reproduction and analysis of the process encountered in many pits, the written text record about the detailed steps.
Huawei has made a vulnerability announcement, the firmware has been upgraded to HG532eV100R001C02B017_upgrade_main. bin. From the forum I found with vulnerabilities version member, HG532eV100R001C02B015_upgrade_main. bin.
The analysis environment is ubuntu 16.04.
First with binwalk extract:
! [](/Article/UploadPic/2018-4/2018424182834198. png? www. myhack58. com)
According to Check Point’s report, the vulnerability point is the UPnP service,the file command to look,you can see the upnp should be run on the MIPS 32-bit big endian architecture system
! [](/Article/UploadPic/2018-4/2018424182834404. png? www. myhack58. com)
Configure the replication environment:
Install qemu: the
sudo apt-get install qemu
sudo apt-get install qemu-user-static
sudo apt-get install qemu-system
Install the network configuration tool:
apt-get install bridge-utils uml-utilities
Modify the ubuntu host network configuration, the ubuntu host system in the network interface configuration file /etc/network/interfaces modify to the following:
! [](/Article/UploadPic/2018-4/2018424182834262. png? www. myhack58. com)
Create the QEMU network interface start script/etc/qemu-ifup and save for the following:
! [](/Article/UploadPic/2018-4/2018424182834110. png? www. myhack58. com)
Gives the file/etc/qemu-ifup executable permissions:
sudo chmod a+x /etc/qemu-ifup
To restart the network so that all of the configuration entry into force:
sudo /etc/init. d/networking restart
Off ens33, start the bridged network br0
sudo ifdown eth0
sudo ifup br0
From: https://people. debian. org/~aurel32/qemu/mips/download the corresponding debian mips qemu mirror
! [](/Article/UploadPic/2018-4/2018424182834955. png? www. myhack58. com)
Other posts there are various download qemu mirror of the address, try a few downloads are not good to use, a variety of pit
I download is debian_squeeze_mips_standard. qcow2 and vmlinux-2.6.32-5-4kc-malta.
Start qemu to run the just mirror:
sudo qemu-system-mips-M malta-kernel vmlinux-2.6.32-5-4kc-malta-hda debian_squeeze_mips_standard. qcow2-append “root=/dev/sda1 console=tty0” -net nic,macaddr=00:16:3e:00:00:01-net tap
Well, if all goes well, you can see a qemu virtual machine, with root/root to log into it:
! [](/Article/UploadPic/2018-4/2018424182834429. png? www. myhack58. com)
Discover network does not, and ifconfig-a to look at find network interface eth1 to:
! [](/Article/UploadPic/2018-4/2018424182834106. png? www. myhack58. com)
Will nano /etc/network/interfaces file eth0 changed to eth1: a
! [](/Article/UploadPic/2018-4/2018424182834875. png? www. myhack58. com)
Then ifup eth1 the eth1 start up, good luck this time the network has been good.
Direct the operation of the virtual machine is obviously more trouble, on ubuntu get a SSH connection comes in, the ssh root@VM ip
Before extracting the firmware package is copied to the virtual machine inside:
scp-r ./ squashfs-root root@虚拟机ip:/root/
Complete the build of the router firmware to run the environment.
To reproduce the vulnerability:
The first problem is how to give way by the controller in the service start-up, we also don’t know which file will handle the port 80 over the request, the first to see the next checkpoint in the report payload
! [](/Article/UploadPic/2018-4/2018424182834690. png? www. myhack58. com)
In the firmware folder under the search ctrlt and DeviceUpgrade_1, and there is no file name containing the 2 words, and then search under those 2 words in the file:
! [](/Article/UploadPic/2018-4/2018424182835609. png? www. myhack58. com)
To find the firmware location, want to direct execution under upnp this file, the error message,the lack of the corresponding so file.
! [](/Article/UploadPic/2018-4/2018424182835500. png? www. myhack58. com)
chroot /root/squashfs-root /bin/sh to switch the root directory to the router file system, execute success:
! [](/Article/UploadPic/2018-4/2018424182835431. png? www. myhack58. com)
But letting the past still fails, should be and did not start the listener service
Then find the next port 37215
! [](/Article/UploadPic/2018-4/2018424182835115. png? www. myhack58. com)