[afnog] Vulnerable Huawei modem
Loganaden Velvindron
loganaden at gmail.com
Sat Oct 14 07:22:45 UTC 2017
We has been poking around the Huawei HG8245H which is widely deployed
in Mauritius. We discovered that it's using an old version of DNSmasq:
dig @192.168.100.1 version.bind txt chaos
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.100.1 version.bind txt chaos
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31268
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "dnsmasq-2.49" <<<<<-----
;; Query time: 2 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sat Oct 14 10:18:11 +04 2017
;; MSG SIZE rcvd: 55
Google has published the following on DNSMASq, some which have a high
CVE rating leading to remote code execution:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Upon close examination, another software is used for DHCP (busybox
dhcp software). However, DNS is served by DNSmasq.
Furthermore the 3rd column indicates the uid of the dnsmasq process
that you can check by using telnet on the modem:
1805 1805 0 356k S 120 120 120 3 dnsmasq
3153 3153 0 324k S 120 120 120 0 dnsmasq
3158 3158 0 340k S 120 120 120 0 dnsmasq
^^^^
DNSMasq supports running as a non-privileged user since a while now !!
Why run it as root ?
We've opened a ticket with huawei and they have acknowledged the issue
and are discussing with their production line to at least use an
unprivileged user to run dnsmasq.
Anybody else who is deploying Huawei modems/routers in the region can
help push for an update of the firmware ?
Kind regards,
//Logan
Hackers.mu
More information about the afnog
mailing list