Multiple critical vulnerabilities in T-Mobile HOME NET Router LTE

SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: T-Mobile HOME NET Router LTE / Huawei B593u-12

vulnerable version: V100R001C54SP063 (T-Mobile Austria)

fixed version: V100R001C55SP102 (T-Mobile Austria)

impact: Critical

homepage: www.t-mobile.at | www.huawei.com

found: 2013-12-12

by: J. Greil

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

 

Business recommendation:

========================

By exploiting the critical vulnerabilities, an "unauthenticated" (guest)

attacker can gain administrative access to the router and manipulate settings.

 

Furthermore attacks of the internal clients are possible via Internet,

depending on the network setup of the mobile operator or customer (if the

router is reachable on the Internet via changed APN settings).

 

 

It is highly recommended not to use this product until a thorough security

review has been performed by security professionals. As a partial workaround,

the product should not be accessible from the Internet. Limit access only to

trusted (local) users internally. The firmware update has to be installed in

order to fix the identified vulnerabilities.

 

It is assumed that further critical vulnerabilities exist, as only a very

short crash test has been performed.

 

 

Vulnerability overview/description:

===================================

1) Access to sensitive configuration with guest session

-------------------------------------------------------

Attackers are able to login to the router interface with a password-less

"guest" session and can gain access to sensitive information such as

configuration settings: wireless passwords of all configured WLAN networks in

clear text, configured port mappings, DMZ hosts, attached network

devices/clients, etc.

 

Attackers with access to one SSID/WLAN network of the router are hence able to

access other wireless networks because passwords are stored in clear text.

 

It is also possible to exploit this issue over the Internet, depending on the

mobile operator / customer setup (changed APN settings). SEC Consult has

identified multiple routers via Google search that are reachable over the

Internet (no tests have been performed!).

 

 

 

2) Change arbitrary settings as guest

-------------------------------------

The guest user of the web interface is able to manipulate all settings of the

router via CGI scripts. It is even possible to change settings of the XML

configuration (curcfg.xml) on the device that is not accessible (even as

admin) within the web interface (no GUI).

 

 

 

3) OS command injection

-----------------------

The "ping" feature of the diagnostics page suffers from an OS command

injection vulnerability. Attackers are able to run arbitrary commands on the

device and gain access to sensitive information such as configuration files.

Furthermore internal clients can be attacked, there's even "tcpdump" available

on the router.

 

This vulnerability has already been mentioned on this blog, so credits go

here too ;)

blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

 

 

 

4) USB management / FTP directory traversal

-------------------------------------------

The router offers the feature to share USB drives via FTP. It is possible to

exploit directory traversal when specifying the home path of the shared folder

and gain access to the root filesystem with read/write rights.

 

Unauthenticated "guest" attackers are also able to gain access to the router

via FTP even when there is no USB drive connected.

 

This vulnerability has already been mentioned on this blog, so credits go

here too ;)

blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

 

 

 

5) Cross site request forgery

-----------------------------

An attacker can use Cross Site Request Forgery to perform arbitrary web

requests with the identity of the victim without being noticed by the victim.

 

It is possible to exploit the vulnerabilities mentioned in this advisory with

CSRF and therefore execute arbitrary OS commands on the router even when no

admin is actively logged in.

 

 

 

 

Proof of concept:

=================

1) Access to sensitive configuration with guest session

-------------------------------------------------------

Detailed proof of concept has been removed for this advisory.

 

 

2) Change arbitrary settings as guest

-------------------------------------

Guest users are able to change arbitrary settings via built-in CGI commands.

It is even possible to change settings that are not visible in the web

interface even as administrator.

 

Detailed proof of concept has been removed for this advisory.

 

 

3) OS command injection

-----------------------

The following CGI script suffers from OS command injection and can also be

exploited as guest user without password!

 

Detailed proof of concept has been removed for this advisory.

 

 

4) USB management / FTP directory traversal

-------------------------------------------

Detailed proof of concept has been removed for this advisory.

 

 

5) Cross site request forgery

-----------------------------

As no token or other measures against CSRF are in place, it can be exploited

via standard methods other the Internet. It is possible to login as guest user

remotely, receive the session cookie and then exploit the command execution

flaw.

 

No local user has to be actively logged in for that attack scenario!

 

Detailed proof of concept has been removed for this advisory.

 

 

 

Vulnerable / tested versions:

=============================

All vulnerabilities have been confirmed in the following device:

 

* T-Mobile Austria HOME NET Router (Huawei LTE B593u-12)

 

Latest firmware available (as of 12th December 2013): V100R001C54SP063

Downloaded from: www.t-mobile.at/info-und-support/dlc/DLC.php

 

 

It is assumed that different variants of this router from other Internet

service providers are affected too, depending on their firmware versions.

The router is being offered by many telecom operators world-wide and has a

large userbase.

 

 

Vendor contact timeline:

========================

2013-12-12: Contacting T-Mobile Austria via contacts from CERT.at

2013-12-13: Sending encrypted security advisory to T-Mobile Austria and Huawei

PSIRT

2013-12-19: T-Mobile confirms vulnerabilities and plans rollout of new

firmware for January 2014 and gives recommendations for customers

(see solution)

2014-01-08: Asking T-Mobile Austria for status update

2014-01-08: T-Mobile: New firmware rollout is already in progress, informing

CERT.at about status

2014-01-22: Coordinated release of security advisory without proof of concept

 

 

 

Solution:

=========

According to T-Mobile Austria, users will get a notification for the new

firmware release and urges all customers to upgrade the firmware.

 

The firmware can also be installed manually:

www.t-mobile.at/info-und-support/dlc/DLC.php

 

Fixed firmware version: V100R001C55SP102

Direct download: download.t-mobile.at/a/dlc/V100R001C55SP102.tar.bz2

 

 

Vendor information (German):

blog.t-mobile.at/2014/01/22/software-updates-zu-verhinderung-von-sicherheitsluecken/

 

 

Workaround:

===========

As a partial workaround, the product should not be configured to be accessible

from the Internet. Limit access only to trusted (local) users internally.

 

 

Advisory URL:

=============

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF J. Greil / @2014