SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: T-Mobile HOME NET Router LTE / Huawei B593u-12
vulnerable version: V100R001C54SP063 (T-Mobile Austria)
fixed version: V100R001C55SP102 (T-Mobile Austria)
impact: Critical
homepage: www.t-mobile.at | www.huawei.com
found: 2013-12-12
by: J. Greil
SEC Consult Vulnerability Lab
=======================================================================
Business recommendation:
========================
By exploiting the critical vulnerabilities, an "unauthenticated" (guest)
attacker can gain administrative access to the router and manipulate settings.
Furthermore attacks of the internal clients are possible via Internet,
depending on the network setup of the mobile operator or customer (if the
router is reachable on the Internet via changed APN settings).
It is highly recommended not to use this product until a thorough security
review has been performed by security professionals. As a partial workaround,
the product should not be accessible from the Internet. Limit access only to
trusted (local) users internally. The firmware update has to be installed in
order to fix the identified vulnerabilities.
It is assumed that further critical vulnerabilities exist, as only a very
short crash test has been performed.
Vulnerability overview/description:
===================================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Attackers are able to login to the router interface with a password-less
"guest" session and can gain access to sensitive information such as
configuration settings: wireless passwords of all configured WLAN networks in
clear text, configured port mappings, DMZ hosts, attached network
devices/clients, etc.
Attackers with access to one SSID/WLAN network of the router are hence able to
access other wireless networks because passwords are stored in clear text.
It is also possible to exploit this issue over the Internet, depending on the
mobile operator / customer setup (changed APN settings). SEC Consult has
identified multiple routers via Google search that are reachable over the
Internet (no tests have been performed!).
2) Change arbitrary settings as guest
-------------------------------------
The guest user of the web interface is able to manipulate all settings of the
router via CGI scripts. It is even possible to change settings of the XML
configuration (curcfg.xml) on the device that is not accessible (even as
admin) within the web interface (no GUI).
3) OS command injection
-----------------------
The "ping" feature of the diagnostics page suffers from an OS command
injection vulnerability. Attackers are able to run arbitrary commands on the
device and gain access to sensitive information such as configuration files.
Furthermore internal clients can be attacked, there's even "tcpdump" available
on the router.
This vulnerability has already been mentioned on this blog, so credits go
here too ;)
blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html
4) USB management / FTP directory traversal
-------------------------------------------
The router offers the feature to share USB drives via FTP. It is possible to
exploit directory traversal when specifying the home path of the shared folder
and gain access to the root filesystem with read/write rights.
Unauthenticated "guest" attackers are also able to gain access to the router
via FTP even when there is no USB drive connected.
This vulnerability has already been mentioned on this blog, so credits go
here too ;)
blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html
5) Cross site request forgery
-----------------------------
An attacker can use Cross Site Request Forgery to perform arbitrary web
requests with the identity of the victim without being noticed by the victim.
It is possible to exploit the vulnerabilities mentioned in this advisory with
CSRF and therefore execute arbitrary OS commands on the router even when no
admin is actively logged in.
Proof of concept:
=================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Detailed proof of concept has been removed for this advisory.
2) Change arbitrary settings as guest
-------------------------------------
Guest users are able to change arbitrary settings via built-in CGI commands.
It is even possible to change settings that are not visible in the web
interface even as administrator.
Detailed proof of concept has been removed for this advisory.
3) OS command injection
-----------------------
The following CGI script suffers from OS command injection and can also be
exploited as guest user without password!
Detailed proof of concept has been removed for this advisory.
4) USB management / FTP directory traversal
-------------------------------------------
Detailed proof of concept has been removed for this advisory.
5) Cross site request forgery
-----------------------------
As no token or other measures against CSRF are in place, it can be exploited
via standard methods other the Internet. It is possible to login as guest user
remotely, receive the session cookie and then exploit the command execution
flaw.
No local user has to be actively logged in for that attack scenario!
Detailed proof of concept has been removed for this advisory.
Vulnerable / tested versions:
=============================
All vulnerabilities have been confirmed in the following device:
* T-Mobile Austria HOME NET Router (Huawei LTE B593u-12)
Latest firmware available (as of 12th December 2013): V100R001C54SP063
Downloaded from: www.t-mobile.at/info-und-support/dlc/DLC.php
It is assumed that different variants of this router from other Internet
service providers are affected too, depending on their firmware versions.
The router is being offered by many telecom operators world-wide and has a
large userbase.
Vendor contact timeline:
========================
2013-12-12: Contacting T-Mobile Austria via contacts from CERT.at
2013-12-13: Sending encrypted security advisory to T-Mobile Austria and Huawei
PSIRT
2013-12-19: T-Mobile confirms vulnerabilities and plans rollout of new
firmware for January 2014 and gives recommendations for customers
(see solution)
2014-01-08: Asking T-Mobile Austria for status update
2014-01-08: T-Mobile: New firmware rollout is already in progress, informing
CERT.at about status
2014-01-22: Coordinated release of security advisory without proof of concept
Solution:
=========
According to T-Mobile Austria, users will get a notification for the new
firmware release and urges all customers to upgrade the firmware.
The firmware can also be installed manually:
www.t-mobile.at/info-und-support/dlc/DLC.php
Fixed firmware version: V100R001C55SP102
Direct download: download.t-mobile.at/a/dlc/V100R001C55SP102.tar.bz2
Vendor information (German):
blog.t-mobile.at/2014/01/22/software-updates-zu-verhinderung-von-sicherheitsluecken/
Workaround:
===========
As a partial workaround, the product should not be configured to be accessible
from the Internet. Limit access only to trusted (local) users internally.
Advisory URL:
=============
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF J. Greil / @2014