The administrator account used by NURO Hikari is specified, the screen that should not be seen is completely visible & root authority can be taken

For network devices rented by

Sony Network Communications ' internetworking service ' NURO Hikari ', the account ID and password used by NURO Hikari for management have been identified. By using this account, you can access functions that are normally inaccessible to users, and you can execute commands with root privileges.

GitHub --meh301 / HG8045Q: Pwning the Nuro issued Huawei HG8045Q

table of contents

◆ 1: Pointing out the vulnerability of 'HG8045Q'
◆ 2: I checked the vulnerability
◆ 3: Discover new vulnerabilities
◆ 4: Report of vulnerability and response of NURO Hikari

◆ 1: Pointing out the vulnerability of 'HG8045Q'
The vulnerability, reported by researcher Alex Orsholits , concerns an optical network unit (ONU) installed at the end of a communications network. There are several types of NURO Hikari ONUs, but the one with the reported vulnerability is ' HG8045Q ' made by Huawei. As a result of reverse engineering his HG8045Q, Orsholits discovered a special account that exists on the 'web management screen' of the HG8045Q.

The HG8045Q can be set in various ways from the web management screen. Normally, you log in to the management screen using the user name 'admin' and the password you set yourself.

On the web management screen, you can check device information such as the ONU serial number and firmware version ...

It is possible to restart. However, there is a 'hidden function' on this management screen, and that function can be enabled by logging in with the 'administrator account' owned by NURO Hikari. Orsholits analyzes the HG8045Q and reveals how to identify the ID and password of the administrator account.

◆ 2: I checked the vulnerability
The editorial department of GIGAZINE has a contract with NURO Hikari, and HG8045Q, which is the target of the disclosed vulnerability, is lent by NURO Hikari. I was worried about the impact of the vulnerability, so I actually used the vulnerability to access the control panel for the administrator. According to Orsholits' analysis, the user name of the administrator account is 'admin_iksyomuac13' which is common to HG8045Q provided by NURO Hikari, and the password is 'XXXX' of 'iksyomuac13_admin_XXXX' and 'YYYYYYYXXXX-YY (YY)' of 'YYYYYYYYXXXX-YY (YY)'. It was replaced with 'XXXX'.

When I actually access the management screen using the administrator account ...

A screen was displayed where you can check 'CPU usage', 'memory usage', and 'customization information' that shows which vendor the HG8045Q is customized for, which you could not check with a normal account.

At the bottom of the screen, 'The initialization password is used by the administrator. If you need to change this password, please contact your carrier. For details on how to change the password, see http://support.huawei. You will see the red text 'See Security Maintenance on .com.'

When I visited '', Huawei's enterprise support page was displayed.

If you log in with an administrator account, you can now use various functions that were not displayed in a normal account. For example, the 'WAN' item that allows you to set a LAN port as a WAN port.

Manipulating the routing table ...

A device control item has also been added.

The following functions are additionally displayed by the administrator account.

◆ Status
-'WAN information': Added display of IPv6 address and VLAN priority
・ Addition of 'Smart WiFi Coverage' item
-'Device information': Added display of ONT ID, CPU usage rate, memory usage rate, and customization information.
-Added 'Remote Management' item: Added status display for remote connection and service provisioning.
-Addition of 'Service provisioning status' item: You can check the connection status between ONT and ONU.

◆ WAN (added by administrator account)
-'WAN setting': WAN port can be set. Ports normally used for LAN can also be set as WAN ports
-'DHCP client option setting'
-'DHCP client request parameter'

-Addition of 'LAN port operation method' item: Selection of port to be used in layer 3
-'LAN host setting': Addition of secondary address setting
-'DHCP Server Settings': DHCP relay, Option125, and secondary DHCP server enable settings are available
-Addition of 'DHCP server option setting': DHCP server option on the LAN side can be set

◆ IPv6
-Addition of 'default route setting'
-Addition of 'static route setting'
-'LAN address setting': The interface ID of the IPv6 address can be changed with the interface address information.

・ '2.4G detailed network setting': Restricted area can be changed to countries other than Japan
・ '5G detailed network settings': Restricted areas can be changed to countries other than Japan
-Enable 'Wi-Fi automatic disconnection': It is possible to set to stop automatically while not using the WiFi function
· 'Smart WiFi Coverage Management': 'You can specify the SSID of the Wi-Fi network, and you can add the scanned external AP to this Wi-Fi network. In addition, with the external AP and this device You can configure the entire Wi-Fi network and seamlessly access this network from your wireless device. '

◆ Security
-Enable 'Firewall Level Settings': Selectable from 'Disable', 'High', 'Medium', 'Low', and 'Custom Settings'
-Enable 'device access control': Control access to FTP, HTTP, and telnet on each network of LAN, WAN, and wireless communication, and set the source address on the WAN side.
-'WAN access control setting': Enable: HTTP mode, telnet, FTP, SSH, source address permission setting is possible with a single WAN port

◆ Route (added by administrator account)
-'Default route setting': Default route can be set
-'Static route setting': Static routes such as domain name, IP address, subnet mask, gateway IP address, and WAN port name can be set.
-'Policy route setting': Service policy route can be set
-'VLAN binding setting'
・ 'Service route setting': Service route can be set
-'Routing table': It is possible to inquire the current routing information such as destination IP address, destination subnet mask, gateway, output interface, etc.

◆ Network app
-Addition of 'portal setting' item: You can set the website to be displayed when you access the Internet for the first time.
-Addition of 'DDNS setting' item: DDNS such as dyndns and NO-IP can be set
-Addition of 'IGMP setting' item
-Addition of 'Intelligent Channel Settings' item
-Addition of 'Terminal restriction setting' item: The number of terminals connected to the Internet can be limited
-Addition of 'ARP Ping' item
-Addition of 'ARP aging' item: ARP aging time can be set

◆ System tools
-Addition of 'Setting file' item: Setting file can be saved, downloaded, and updated.
-Addition of 'Firmware upgrade' item: Firmware can be updated by specifying a firmware file.
-'Maintenance': Change DSCP value of Ping test, add hardware failure detection function
-Addition of 'remote mirroring' item: Mirroring of packets sent and received by the CPU is possible
-Addition of 'ONT authentication' item: The parameters required for OLT to authenticate ONT can be changed.
-Addition of 'Time setting' item: Addition of item to enable DST
-Addition of 'TR-069' item: Protocol used when the provider operates the user's device remotely

- Settings related to TR-069 are possible
-Addition of 'Extended power management' item: It is possible to switch to power saving mode
-'Change login password': Addition of certificate authentication function
-Added 'Intelligent Channel Statistics' item: Stats collection and query statistics for intelligent channel traffic are available
-Addition of 'Collect failure information' item: Failure information can be collected and downloaded

◆ 3: Discover new vulnerabilities
Using the above administrator account, you can make an SSH connection from LAN to HG8045Q. When I logged in with SSH, a shell called 'WAP' was displayed.

This WAP is a shell that can be used with Huawei network devices, and you can see how to use it by adding a '?' To the command.

For example, executing 'ping?' Returns the usage of the ping command.

When I execute 'ping -h' to display the usage with the normal ping command as a trial, BusyBox responds with the usage of the ping command even though it is an invalid argument with 'ping: invalid option --h'. Did. From this, it is speculated that 'some commands that can be used with WAP are Huawei's own commands, and some commands use

BusyBox from shell scripts.'

While investigating the shell script calling BusyBox, I discovered a new vulnerability that was different from identifying the administrator account. As a procedure to reproduce the vulnerability, first enter a character string from the shell script after the command using BusyBox until it stops accepting character input. Then press Enter to execute the command.

After executing the command, no error is displayed and the input standby state is entered, so enter '' 'and start a new line.

Enter the command you want to execute after '> |'. Try executing the user display command 'whoami', which is normally not available in WAP.

Then, even though I was logged in with 'admin_iksyomuac13', I was able to execute the command with root privileges.

Information that cannot be obtained by the WAP shell, such as the 'cat / proc / cpuinfo' command that can check the CPU, can be obtained if it is implemented in BusyBox.

We also found that not all commands that can be used with WAP are vulnerable, and that Huawei's proprietary commands have a character limit on their arguments.

In the HG8045Q, the SSH port on the WAN side is closed, so hacking via the WAN using SSH is difficult. However, if you know the MAC address, you can identify the password of the administrator account required for SSH connection, and since the MAC address is written on the outside of the main unit, you can execute commands with root privileges if you can physically access it. It has become.

◆ 4: Report of vulnerability and response of NURO Hikari
'Identification of administrator account' was published on GitHub, but it seems that the vulnerability of command execution with root privileges is not published anywhere, so I decided to contact NURO Hikari and report the vulnerability. .. First, I checked

HackerOne , a bug bounty platform, but NURO Hikari did not participate.

I found the Huawei page of the hardware vendor, but it said that I would like to send an email directly to '[email protected]', and it was not possible to communicate via HackerOne.

Normally, there is a bug report status 'Hacktivity' and a reporter list 'Thanks' page, but Huawei's page is a mysterious state where only 'Policy' exists. I wasn't sure if I could handle the vulnerability report, so I decided to give up the vulnerability report via HackerOne.

As a next step, I searched the NURO Hikari website for a contact point where I could report a bug, but there was no contact point such as 'Click here for bug report'. When I investigated further without giving up, I found a 'technical center' on the following page.

NURO Hikari Support / Contact List │ NURO Hikari Campaign Site

It's unclear if the bug report is a 'technical question', but I called the technical center to report the vulnerability because there was no other contact point than the technical center where I could report the bug.

The timeline from the inquiry to the final answer looks like this.

・ September 28, 2020: Report to NURO Hikari via the Technical Center regarding 'identification of administrator account' and reply 'I will reply at a later date'
・ October 6, 2020: Reported 'Identification of administrator account' and 'Stealing root authority' to the support desk by e-mail, and answered 'We will inform our staff'.
・ October 27, 2020: When I contacted NURO Hikari again, it turned out that the matter had been left unattended, and I requested that I get a reply within a week.
・ October 28, 2020: Additional details of the vulnerability are reported to NURO Hikari by email.
・ November 5, 2020: NURO Hikari called back, and the call center manager replied, 'We will address the vulnerability.'
・ November 9, 2020: NURO Hikari called back again, and the same person in charge as on November 5 responded that 'NURO officially answered that the vulnerability will not be fixed.'

The final answer from NURO Hikari about two weeks after the inquiry is as follows.

-The specified account is the administrator account of NURO Hikari , but since it is not immediately illegally accessed from the outside, we will not take any measures such as correction.
・ Even if a problem occurs using the administrator account, NURO Hikari will not provide any support.
・ Please refrain from disclosing vulnerabilities if possible, but this does not mean that they are prohibited.

firmware update announced on October 19, 2020 did not fix the vulnerability.

…… So, NURO Hikari seems to be 'not aware of this vulnerability at all'.

NURO Hikari's ONU has just been pointed out a security problem in June 2020 because it 'has no IPv6 firewall'. The Qiita article that pointed out the issue has now been removed, but can still be read in the Internet Archive.

NURO Hikari talks about security (how to use it safely) --Qiita

The IPv6 firewall was enabled by the firmware update notified on October 19, 2020, but it seems that it is difficult to get this vulnerability addressed. Facebook is celebrating its 10th anniversary of running a bug bounty program, and major IT companies such as Google and Apple have similar programs. Considering the current situation in which Nintendo, Toyota Motor Corporation, and Sony, the parent company of NURO Hikari, are also participating in the bug bounty program, the weakness of the counter response to the vulnerability of NURO Hikari was conspicuous.

Facebook's bug bounty program celebrates its 10th anniversary, security officers talk about where they are and where they are going-- GIGAZINE

in Web Service,   Security, Posted by darkhorse_log