[afnog] Vulnerable Huawei modem

Loganaden Velvindron loganaden at gmail.com
Sat Oct 14 07:22:45 UTC 2017


We has been poking around the Huawei HG8245H which is widely deployed
in Mauritius. We discovered that it's using an old version of DNSmasq:

dig @192.168.100.1 version.bind txt chaos

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.100.1 version.bind txt chaos
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31268
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT "dnsmasq-2.49" <<<<<-----

;; Query time: 2 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sat Oct 14 10:18:11 +04 2017
;; MSG SIZE  rcvd: 55

Google has published the following on DNSMASq, some which have a high
CVE rating leading to remote code execution:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Upon close examination, another software is used for DHCP (busybox
dhcp software). However, DNS is served by DNSmasq.

Furthermore the 3rd column indicates the uid of the dnsmasq process
that you can check by using telnet on the modem:

1805  1805     0      356k S     120    120    120      3 dnsmasq
 3153  3153     0      324k S     120    120    120      0 dnsmasq
 3158  3158     0      340k S     120    120    120      0 dnsmasq

                        ^^^^
DNSMasq supports running as a non-privileged user since a while now !!
Why run it as root ?

We've opened a ticket with huawei and they have acknowledged the issue
and are discussing with their production line to at least use an
unprivileged user to run dnsmasq.

Anybody else who is deploying Huawei modems/routers in the region can
help push for an update of the firmware ?

Kind regards,
//Logan
Hackers.mu



More information about the afnog mailing list