Huawei HG8245H router “privilege escalation”…Part I

This is a prequel to this post here

Well, I got to play around with my router a few weeks ago. My router, a Huawei HG8245H version, is pretty decent for home use.

First things first, the login password is smack on the bottom of router as below.

routerpic

Most routers have a well known default password, infact there are multiple sites dedicated to document that. So I got curious to know what info I could get using these credentials.

A quick google search says that the user root/admin is a normal user with the telecomadmin/admintelecom being the super user. Funny enough, I was unable to log in using the admintelecom/telecomadmin set of credentials. The superuser account allows a user to have access to other options, notably backup configuration settings, edit and load router config file etc.

An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work. So how do we bypass this?

Proof of concept:

  1. Enter web interface (http://192.168.100.1) using root/admin credentials
  2. Reboot the router.
  3. Disconnect fibre cable as it restarts
  4. As it restarts, try to log in on http://192.168.100.1 as telecomadmin/admintelecom

Voila! You are in, as superadmin, with more options to tweak the router 😀

telecomadmin login

        5. To elevate your normal user root to superadmin status. Download router config file           from System Tools > Configuration File.. This  file named “hw_ctree.xml” is                             encrypted and appears as below:

encrypte

Fortunately, we can decrypt the router config file using any aes decryption tool.

6. Proceed to decrypt as below:

ddecrypt

and here we have our plaintext config file:

interesting users

For this post, our area of concern would be the part highlighted below:

2more users

Notice the different userlevels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is superadministrator.

        7. Edit the root user line to userlevel 0. Save file and decrypt it

        8. Log in to our web interface, upload the new config file and restart router.

       9.Once restarted, log in as root/admin, and enjoy the new options available  🙂

I called up Huawei to notify them of this and after a rather lengthy discussion they finally emailed me: “We will not track this issue as a vulnerability. If you still have some different option please never hesitate to contact us. Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again.”

I would,however like to thank Huawei’s quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.

Find Part II here

Advertisements

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s