Code Used in Zero Day Huawei Router Attack Made Public

Researchers warn of copycat type attacks as exploit code used in Mirai variant goes public.

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.

Ankit Anubhav, researcher at NewSky Security first identified the code on Monday that was posted publicly on The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as “Nexus Zeta” to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.

“The fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,” said Maya Horowitz, threat intelligence group manager, Check Point.

Last week, Check Point identified the vulnerability (CVE-2017-17215) in a Huawei home router model HG532 that was being exploited by Nexus Zeta to spread the Mirai variant Mirai Okiru/Satori. Since then Huawei issued an updated security notice to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.

“This code is now known to a variety of black hats. Just like previous SOAP exploits released for free to the public it will be used by various script kiddies and threat actors,” Anubhav said. NewSky Security posted a blog Thursday outlining its discovery of the zero-day code.

The underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.

In the case of CVE-2017-17215, this zero day exploits how the Huawei router uses of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.

“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.

The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.

“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” Check Point researchers wrote.

The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.

“The exploit code was already used by two major IoT botnets, Brickerbot and Satori, and now that the code is public it will be incorporated into different botnet strains,” Anubhav said.

Mitigation against attacks includes configuring a router’s built-in firewall, changing the default password or using firewall at the carrier side, Huawei said.

“Please note that users of this router are mostly home users, who do not typically log in to their router’s interface and don’t necessarily have the know-how, and so unfortunately I have to assume most devices would stay vulnerable,” Horowitz said. “We desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.”

Suggested articles