This is a post about CVE-2017-17215 in Huawei HG532 home routers. The Satori botnet is actually using this CVE to build an IoT bot net.

A post I recommend reading before this one.
https://research.checkpoint.com/good-zero-day-skiddie/

To be honest, this exploitation is very easy. HG532 is using UPnP protocol on port 37215. This service is for firmware upgrade. We can simply send a request to “/strlt/DeviceUpgrade_1” and the two elements should be ‘NewStatusURL’ and ‘NewDownloadURL’. So if we replace these two elements with the commands that we want to execute, we can have remote execution.

This is the PoC in the exploit-db. We can see it just changes the element. So let’s check the mips assembly code here for upnp file.

The key function here should be the snprintf and system.
For the snprintf, we know it has the format like “int snprintf ( char s, size_t n, const char format, … );”.

So here, a0 stores the final string, a1 stores the length of the buffer, a2 stores the actual string that we input.

So we can see it executes system(a0) later. In this case, we control the a2 so if we input something like *; ls ; we will finally execute ‘ls’ on the router.

Any question, please contact me at xudong_shao@hotmail.com.