SEC Consult SA-20140122-0 :: Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12)

2014-02-0300:00:00

vulners.com

JSON

SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >

          title: Multiple critical vulnerabilities
        product: T-Mobile HOME NET Router LTE / Huawei B593u-12

vulnerable version: V100R001C54SP063 (T-Mobile Austria)
fixed version: V100R001C55SP102 (T-Mobile Austria)
impact: Critical
homepage: http://www.t-mobile.at | http://www.huawei.com
found: 2013-12-12
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Business recommendation:

By exploiting the critical vulnerabilities, an "unauthenticated" (guest)
attacker can gain administrative access to the router and manipulate settings.

Furthermore attacks of the internal clients are possible via Internet,
depending on the network setup of the mobile operator or customer (if the
router is reachable on the Internet via changed APN settings).

It is highly recommended not to use this product until a thorough security
review has been performed by security professionals. As a partial workaround,
the product should not be accessible from the Internet. Limit access only to
trusted (local) users internally. The firmware update has to be installed in
order to fix the identified vulnerabilities.

It is assumed that further critical vulnerabilities exist, as only a very
short crash test has been performed.

Vulnerability overview/description:

1) Access to sensitive configuration with guest session

Attackers are able to login to the router interface with a password-less
"guest" session and can gain access to sensitive information such as
configuration settings: wireless passwords of all configured WLAN networks in
clear text, configured port mappings, DMZ hosts, attached network
devices/clients, etc.

Attackers with access to one SSID/WLAN network of the router are hence able to
access other wireless networks because passwords are stored in clear text.

It is also possible to exploit this issue over the Internet, depending on the
mobile operator / customer setup (changed APN settings). SEC Consult has
identified multiple routers via Google search that are reachable over the
Internet (no tests have been performed!).

2) Change arbitrary settings as guest

The guest user of the web interface is able to manipulate all settings of the
router via CGI scripts. It is even possible to change settings of the XML
configuration (curcfg.xml) on the device that is not accessible (even as
admin) within the web interface (no GUI).

3) OS command injection

The "ping" feature of the diagnostics page suffers from an OS command
injection vulnerability. Attackers are able to run arbitrary commands on the
device and gain access to sensitive information such as configuration files.
Furthermore internal clients can be attacked, there's even "tcpdump" available
on the router.

This vulnerability has already been mentioned on this blog, so credits go
here too
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

4) USB management / FTP directory traversal

The router offers the feature to share USB drives via FTP. It is possible to
exploit directory traversal when specifying the home path of the shared folder
and gain access to the root filesystem with read/write rights.

Unauthenticated "guest" attackers are also able to gain access to the router
via FTP even when there is no USB drive connected.

This vulnerability has already been mentioned on this blog, so credits go
here too
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

5) Cross site request forgery

An attacker can use Cross Site Request Forgery to perform arbitrary web
requests with the identity of the victim without being noticed by the victim.

It is possible to exploit the vulnerabilities mentioned in this advisory with
CSRF and therefore execute arbitrary OS commands on the router even when no
admin is actively logged in.

Proof of concept: