Huawei HG630B. Got Root?

Huawei HG630B. Got Root?

Telecom New Zealand are distributing the Huawei HG630B router as their ‘Home Gateway’ for residential customers. These routers are particularly interesting as they are Tri-Purpose. They have three WAN interfaces: an RJ11 socket for ADSL/VDSL, Ethernet for Fibre and USB for a USB cellular modem.
Telecom have been distributing these routers since at least the start of 2014, so a number of them are out in the wild.

The Telecom (Huawei) HG630B
The Telecom (Huawei) HG630B

One thing to note is that these routers are heavily branded and heavily locked down….. AND they leave (at least) two external ports open on the WAN side.

The two ports open on the WAN side are 22 (SSH) and 443 (HTTPS). If you try to use port 22 or 443 as an incoming port, these ‘Admin’ ports are incremented (ie: Admin port 22 is changed to 23). It appears impossible to disable the Admin incoming ports through the web interface.

The only way to change this behaviour is to somehow get root access to the device.

I first attempted the tried and tested ping hack on the device. The ping hack is a classic command injection hack where the device simply takes whatever address you want to ping and executes it as “ping address>/var/pingresultfile”. Changing the address to “;cat /etc/passwd” runs the command “ping ;cat /etc/password>/var/pingresultfile” and Voila, you have access to run whatever you want at (normally) full root priveleges. This failed, it seems that Huawei take note of security reports and harden their software.

Maybe I need to take a look around inside..

You May Also Like

About the Author: John

9 Comments

    1. I’m still investigating when I have the time.
      I am able to run commands as root, but not keen to divulge the vulnerability yet.

  1. Oddly, we have this HG630B as well. We can administer via its web-based administrative interface on the LAN.
    We have a static ip and wanted to access the web-based interface via http but cant for the life of me see how to enable that. So far have created a port forward from port 8080 (start) port 8080 (end) then internal port 80. Oddly as described in you post above with incremental ports, if i went to ip.xx.xx.xx:8081 i got the login prompt which showed the username and password, but wouldnt let me in. Feels like im close, but have a feeling this is locked down in some respect.

  2. Since you can open the firmware file as a filesystem , mount it rw, at say /routerupdate, then modify any system configuration etc save the changes and update the router with this firmware, restriction would be removed

  3. Hi John… any progress here? I have just ordered one of these as a replacement for our antiquated DLINK. I’d like to know a bit more about gaining a little more control over the device.

  4. Hi, Can you please let me know if you found a way to gain access to the device without jtagging?
    My device is a different model (HG658) but from the dump you posted it seems similar and the ping (and ftp) exploits don’t work on it.
    I just want to get the VOIP password my ISP has set on it because they won’t provide it. I’ve managed to get the rest of the details via hidden pages such as voip/vcesipbasicaccount.asp etc.
    Thanks

  5. Instead of having to backwards engineer the firmware have a look at these, I didn’t have much luck in decrypting the currentcfg file but maybe I’m lacking in skills. This router has a bug in the directory that allows you to download configuration files directly.

    http://192.168.1.254/images/…/…//…/…//etc/passwd
    http://192.168.1.254/images/…/…//…/…//config/currentcfg
    http://192.168.1.254/images/…/…//…/…//etc/t_tree.xml
    http://192.168.1.254/images/…/…//…/…//etc/serverkey.pem
    http://192.168.1.254/images/…/…//…/…//etc/servercert.pem
    http://192.168.1.254/images/…/…//…/…//etc/defaultcfg.xml
    http://192.168.1.254/images/…/…//…/…//lib/libcfmapi.so keys for currentcfg and defaultcfg are hidden here from what I can see. But I haven’t worked out how the encryption process is done, I think the web binary and the libcfmapi.so work together here.

Leave a Reply

Your email address will not be published. Required fields are marked *