Blog‎ > ‎

Getting SSH access on a Huawei B593s-22

posted Dec 13, 2014, 1:28 AM by Pasi Orovuo   [ updated Dec 13, 2014, 1:30 AM ]
I have Huawei's B593s-22 4G router as the main connection at home. It's quite neat device, and if 4G connectivity is available, fast too. This morning I wanted to browse Amazon.co.uk on my iPhone (which is connected to WLAN provided by B593s-22), but got a DNS query failure notification. Strange - it's somewhat unlikely that Amazon would have that kind of problems during the christmas sale, so I decided to drop WLAN and try plain cellular (and thus drop the Huawei from the equation). Amazon.co.uk was working fine - a bit of a WTF moment. What exactly does B593s-22 do on my DNS queries for Amazon? Which DNS servers does it use?! We'll, as it seems, it's not that easy.

DHCP clients get B593s-22's IP as the DNS server and It's not possible to see or choose which DNS servers B593s-22 uses or gives to DHCP clients from the web user interface. In order to gain further insight, I would need SSH access on the box. Unfortunately the web interface admin password did not work.

After Googling around I came across this site which mentions a USB/FTP hack. The instructions are for B593s-12, and the -22 has been changed significantly, so the instructions won't work. Huawei's track record in security is terrible, so I figured it should still be easy to gain access. So I went ahead and connected a FAT-32 formatted 16 GB USB stick in the device and went on to enable the FTP interface:


Then went on to add a user:


Bummer - according to instructions on above site I would need to type ../../ into the path input box to gain access to the root filesystem. Huawei's engineers have put their best into prevent tampering the box and have changed the input box to a Select button which enables the users to choose from existing folders on the USB stick. Damn....

Well - as mentioned earlier - Huawei's track record in security is shit, so I figured that it's quite possible that the checks and limitations are only client side, and I would only need to get past them. After looking into and fiddling with the source code of the page and various Javascript files it includes, I figured that simple DOM manipulation could be the method. Essentially - I would need to include ../../ in the selection list presented by the Select button. i.e.


This can be achieved easily in Google Chrome by just right-clicking an element (i.e. .Spotlight-V100) and choosing Inspect Element. Chrome spits out the source of the page which you can edit to your liking. The edits I made were:


So basically I just duplicated the <li id="file_tree_div3"> and removed the lastExpandable related classes from the third item. Then went on to change the newly created file_tree_div3 to file_tree_div4 and changed the path on the span and pre elements. Nice and easy, and now the file selection looked the way I wanted it to look and submitted the user. The result was promising:


Time to test... I went on and FTP'd onto the box.
pormb:Downloads por$ ftp 10.254.212.1
Connected to 10.254.212.1.
220 bftpd %v at 10.254.212.1 ready.
Name (10.254.212.1:por): ftp
331 Password please.
Password: 
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||50544|)
150 BINARY data connection established.
drwxrwx--x   1 0        0        4096 Nov 28 17:53 app
lrwxrwxrwx   1 0        0        14 Jan 01  1970 bin -> system/atp/bin
drwxrwx---   2 1000     2001     0 Jan 01  1970 cache
dr-x------   2 0        0        0 Jan 01  1970 config
drwxrwxrwx   1 0        0        4096 Dec 18  2013 cpedata
drwxrwx--x   1 1000     1000     4096 Jan 01  2013 data
-rw-r--r--   1 0        0        118 Jan 01  1970 default.prop
drwxr-xr-x  10 0        0        0 Dec 13 10:16 dev
lrwxrwxrwx   1 0        0        15 Jan 01  1970 etc -> /system/atp/etc
-rw-rw-rw-   1 0        0        0 Jan 01  2013 hsvelog.txt
lrwxrwxrwx   1 0        0        12 Jan 01  1970 html -> cpedata/html
-rwxr-x---   1 0        0        94168 Jan 01  1970 init
-rwxr-x---   1 0        0        1677 Jan 01  1970 init.goldfish.rc
-rwxr-x---   1 0        0        15298 Jan 01  1970 init.rc
lrwxrwxrwx   1 0        0        14 Jan 01  1970 lib -> system/atp/lib
drwxr-xr-x   2 0        0        0 Jan 01  1970 media
drwxr-xr-x   4 0        0        0 Dec 13 10:16 mnt
drwxr-xr-x   1 0        0        4096 Jan 01  1970 online
dr-xr-xr-x 123 0        0        0 Jan 01  1970 proc
drwx------   2 0        0        0 Dec 18  2013 root
drwxr-x---   2 0        0        0 Jan 01  1970 sbin
drwxr-xr-x  12 0        0        0 Jan 01  1970 sys
drwxrwxrwx   1 0        0        4096 Dec 18  2013 system
drwxr-xr-x   6 0        0        0 Jan 01  2013 tmp
drwxr-xr-x   2 0        0        0 Jan 01  1970 tts
-rw-r--r--   1 0        0        0 Jan 01  1970 ueventd.goldfish.rc
-rw-r--r--   1 0        0        3764 Jan 01  1970 ueventd.rc
lrwxrwxrwx   1 0        0        14 Jan 01  1970 usr -> system/atp/usr
drwxr-xr-x  25 0        0        0 Dec 13 11:17 var
lrwxrwxrwx   1 0        0        15 Jan 01  1970 xbin -> system/atp/sbin
226 Directory list has been submitted.
ftp>
Nice, Huawei. Your security record still is shit.

From either here or here I had already learnt that the plain text SSH passwords can be found in /var/sshusers.cfg. I went on to download it and yes, there it was!

pormb:~ por$ ssh admin@10.254.212.1
admin@10.254.212.1's password: 
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell


BusyBox vv1.9.1 (2013-12-18 15:31:27 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#
Now I have an SSH shell, but I've still to solve the DNS issue...


Comments