SEC Consult Vulnerability Lab Security Advisory < 20140122-0 > ======================================================================= title: Multiple critical vulnerabilities product: T-Mobile HOME NET Router LTE / Huawei B593u-12 vulnerable version: V100R001C54SP063 (T-Mobile Austria) fixed version: V100R001C55SP102 (T-Mobile Austria) impact: Critical homepage: http://www.t-mobile.at | http://www.huawei.com found: 2013-12-12 by: J. Greil SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Business recommendation: ======================== By exploiting the critical vulnerabilities, an "unauthenticated" (guest) attacker can gain administrative access to the router and manipulate settings. Furthermore attacks of the internal clients are possible via Internet, depending on the network setup of the mobile operator or customer (if the router is reachable on the Internet via changed APN settings). It is highly recommended not to use this product until a thorough security review has been performed by security professionals. As a partial workaround, the product should not be accessible from the Internet. Limit access only to trusted (local) users internally. The firmware update has to be installed in order to fix the identified vulnerabilities. It is assumed that further critical vulnerabilities exist, as only a very short crash test has been performed. Vulnerability overview/description: =================================== 1) Access to sensitive configuration with guest session ------------------------------------------------------- Attackers are able to login to the router interface with a password-less "guest" session and can gain access to sensitive information such as configuration settings: wireless passwords of all configured WLAN networks in clear text, configured port mappings, DMZ hosts, attached network devices/clients, etc. Attackers with access to one SSID/WLAN network of the router are hence able to access other wireless networks because passwords are stored in clear text. It is also possible to exploit this issue over the Internet, depending on the mobile operator / customer setup (changed APN settings). SEC Consult has identified multiple routers via Google search that are reachable over the Internet (no tests have been performed!). 2) Change arbitrary settings as guest ------------------------------------- The guest user of the web interface is able to manipulate all settings of the router via CGI scripts. It is even possible to change settings of the XML configuration (curcfg.xml) on the device that is not accessible (even as admin) within the web interface (no GUI). 3) OS command injection ----------------------- The "ping" feature of the diagnostics page suffers from an OS command injection vulnerability. Attackers are able to run arbitrary commands on the device and gain access to sensitive information such as configuration files. Furthermore internal clients can be attacked, there's even "tcpdump" available on the router. This vulnerability has already been mentioned on this blog, so credits go here too ;) http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html 4) USB management / FTP directory traversal ------------------------------------------- The router offers the feature to share USB drives via FTP. It is possible to exploit directory traversal when specifying the home path of the shared folder and gain access to the root filesystem with read/write rights. Unauthenticated "guest" attackers are also able to gain access to the router via FTP even when there is no USB drive connected. This vulnerability has already been mentioned on this blog, so credits go here too ;) http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html 5) Cross site request forgery ----------------------------- An attacker can use Cross Site Request Forgery to perform arbitrary web requests with the identity of the victim without being noticed by the victim. It is possible to exploit the vulnerabilities mentioned in this advisory with CSRF and therefore execute arbitrary OS commands on the router even when no admin is actively logged in. Proof of concept: ================= 1) Access to sensitive configuration with guest session ------------------------------------------------------- Detailed proof of concept has been removed for this advisory. 2) Change arbitrary settings as guest ------------------------------------- Guest users are able to change arbitrary settings via built-in CGI commands. It is even possible to change settings that are not visible in the web interface even as administrator. Detailed proof of concept has been removed for this advisory. 3) OS command injection ----------------------- The following CGI script suffers from OS command injection and can also be exploited as guest user without password! Detailed proof of concept has been removed for this advisory. 4) USB management / FTP directory traversal ------------------------------------------- Detailed proof of concept has been removed for this advisory. 5) Cross site request forgery ----------------------------- As no token or other measures against CSRF are in place, it can be exploited via standard methods other the Internet. It is possible to login as guest user remotely, receive the session cookie and then exploit the command execution flaw. No local user has to be actively logged in for that attack scenario! Detailed proof of concept has been removed for this advisory. Vulnerable / tested versions: ============================= All vulnerabilities have been confirmed in the following device: * T-Mobile Austria HOME NET Router (Huawei LTE B593u-12) Latest firmware available (as of 12th December 2013): V100R001C54SP063 Downloaded from: http://www.t-mobile.at/info-und-support/dlc/DLC.php It is assumed that different variants of this router from other Internet service providers are affected too, depending on their firmware versions. The router is being offered by many telecom operators world-wide and has a large userbase. Vendor contact timeline: ======================== 2013-12-12: Contacting T-Mobile Austria via contacts from CERT.at 2013-12-13: Sending encrypted security advisory to T-Mobile Austria and Huawei PSIRT 2013-12-19: T-Mobile confirms vulnerabilities and plans rollout of new firmware for January 2014 and gives recommendations for customers (see solution) 2014-01-08: Asking T-Mobile Austria for status update 2014-01-08: T-Mobile: New firmware rollout is already in progress, informing CERT.at about status 2014-01-22: Coordinated release of security advisory without proof of concept Solution: ========= According to T-Mobile Austria, users will get a notification for the new firmware release and urges all customers to upgrade the firmware. The firmware can also be installed manually: http://www.t-mobile.at/info-und-support/dlc/DLC.php Fixed firmware version: V100R001C55SP102 Direct download: http://download.t-mobile.at/a/dlc/V100R001C55SP102.tar.bz2 Vendor information (German): http://blog.t-mobile.at/2014/01/22/software-updates-zu-verhinderung-von-sicherheitsluecken/ Workaround: =========== As a partial workaround, the product should not be configured to be accessible from the Internet. Limit access only to trusted (local) users internally. Advisory URL: ============= https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF J. Greil / @2014