I have Huawei's B593s-22 4G router as the main connection at home. It's quite neat device, and if 4G connectivity is available, fast too. This morning I wanted to browse Amazon.co.uk on my iPhone (which is connected to WLAN provided by B593s-22), but got a DNS query failure notification. Strange - it's somewhat unlikely that Amazon would have that kind of problems during the christmas sale, so I decided to drop WLAN and try plain cellular (and thus drop the Huawei from the equation). Amazon.co.uk was working fine - a bit of a WTF moment. What exactly does B593s-22 do on my DNS queries for Amazon? Which DNS servers does it use?! We'll, as it seems, it's not that easy. DHCP clients get B593s-22's IP as the DNS server and It's not possible to see or choose which DNS servers B593s-22 uses or gives to DHCP clients from the web user interface. In order to gain further insight, I would need SSH access on the box. Unfortunately the web interface admin password did not work. After Googling around I came across this site which mentions a USB/FTP hack. The instructions are for B593s-12, and the -22 has been changed significantly, so the instructions won't work. Huawei's track record in security is terrible, so I figured it should still be easy to gain access. So I went ahead and connected a FAT-32 formatted 16 GB USB stick in the device and went on to enable the FTP interface: Then went on to add a user: Bummer - according to instructions on above site I would need to type ../../ into the path input box to gain access to the root filesystem. Huawei's engineers have put their best into prevent tampering the box and have changed the input box to a Select button which enables the users to choose from existing folders on the USB stick. Damn.... Well - as mentioned earlier - Huawei's track record in security is shit, so I figured that it's quite possible that the checks and limitations are only client side, and I would only need to get past them. After looking into and fiddling with the source code of the page and various Javascript files it includes, I figured that simple DOM manipulation could be the method. Essentially - I would need to include ../../ in the selection list presented by the Select button. i.e. This can be achieved easily in Google Chrome by just right-clicking an element (i.e. .Spotlight-V100) and choosing Inspect Element. Chrome spits out the source of the page which you can edit to your liking. The edits I made were: Time to test... I went on and FTP'd onto the box. pormb:Downloads por$ ftp 10.254.212.1 Connected to 10.254.212.1. 220 bftpd %v at 10.254.212.1 ready. Name (10.254.212.1:por): ftp 331 Password please. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering extended passive mode (|||50544|) 150 BINARY data connection established. drwxrwx--x 1 0 0 4096 Nov 28 17:53 app lrwxrwxrwx 1 0 0 14 Jan 01 1970 bin -> system/atp/bin drwxrwx--- 2 1000 2001 0 Jan 01 1970 cache dr-x------ 2 0 0 0 Jan 01 1970 config drwxrwxrwx 1 0 0 4096 Dec 18 2013 cpedata drwxrwx--x 1 1000 1000 4096 Jan 01 2013 data -rw-r--r-- 1 0 0 118 Jan 01 1970 default.prop drwxr-xr-x 10 0 0 0 Dec 13 10:16 dev lrwxrwxrwx 1 0 0 15 Jan 01 1970 etc -> /system/atp/etc -rw-rw-rw- 1 0 0 0 Jan 01 2013 hsvelog.txt lrwxrwxrwx 1 0 0 12 Jan 01 1970 html -> cpedata/html -rwxr-x--- 1 0 0 94168 Jan 01 1970 init -rwxr-x--- 1 0 0 1677 Jan 01 1970 init.goldfish.rc -rwxr-x--- 1 0 0 15298 Jan 01 1970 init.rc lrwxrwxrwx 1 0 0 14 Jan 01 1970 lib -> system/atp/lib drwxr-xr-x 2 0 0 0 Jan 01 1970 media drwxr-xr-x 4 0 0 0 Dec 13 10:16 mnt drwxr-xr-x 1 0 0 4096 Jan 01 1970 online dr-xr-xr-x 123 0 0 0 Jan 01 1970 proc drwx------ 2 0 0 0 Dec 18 2013 root drwxr-x--- 2 0 0 0 Jan 01 1970 sbin drwxr-xr-x 12 0 0 0 Jan 01 1970 sys drwxrwxrwx 1 0 0 4096 Dec 18 2013 system drwxr-xr-x 6 0 0 0 Jan 01 2013 tmp drwxr-xr-x 2 0 0 0 Jan 01 1970 tts -rw-r--r-- 1 0 0 0 Jan 01 1970 ueventd.goldfish.rc -rw-r--r-- 1 0 0 3764 Jan 01 1970 ueventd.rc lrwxrwxrwx 1 0 0 14 Jan 01 1970 usr -> system/atp/usr drwxr-xr-x 25 0 0 0 Dec 13 11:17 var lrwxrwxrwx 1 0 0 15 Jan 01 1970 xbin -> system/atp/sbin 226 Directory list has been submitted. ftp> Nice, Huawei. Your security record still is shit. From either here or here I had already learnt that the plain text SSH passwords can be found in /var/sshusers.cfg. I went on to download it and yes, there it was! pormb:~ por$ ssh admin@10.254.212.1 admin@10.254.212.1's password: ------------------------------- -----Welcome to ATP Cli------ ------------------------------- ATP>shell BusyBox vv1.9.1 (2013-12-18 15:31:27 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # Now I have an SSH shell, but I've still to solve the DNS issue... |
Blog >