Introduction

Timming attacks are a specific type of side-channel attack, in which extra information/exploitation can be achieved through observing the execution of a given system, instead of trying to actively exploit it.

This type of vulnerability is particularly noticeable in capacity constrained devices, which is normal in IOT, or in systems with faulty algorithmic implementations.

Technical details

Device Type: HG8247Q
Description: EchoLife HG8247Q GPON Terminal
Computer Equipment Version: 929.A
Software Version: V3R019C00S200


In this specific case I was able to consistently enumerate existing usernames, registered in Huawei’s HG8247Q router, by measuring how long the backend application took to answer my login requests. In all tests the password was always wrong, so the login always failed, only varying the username variable, which resulted in values of on average 4-6 milliseconds for a non-existing username and 150-250 milliseconds for an existing username. Both Huawei and the ISP were informed of this vulnerability, but the manufacturer did not consider the risk to the high enough to warrant a CVE publication.

The vulnerable endpoint is `/login.cgi` which is where the login form is submitted to, the login page is accessible by directly navigating to the router’s IP on port 80.

The login form has 4 parameters:
UserName={username}&PassWord=dGVzdAo=&Language=portuguese&x.X_HW_Token=cc731a46bcf709b59ca7606306a36575

So we have the `UserName` which will hold the submitted username, `Password` which most be submitted in base64 encoding, the chosen language, and the anti-CSRF token `X_HW_Token` which must be refreshed on each new request.


If we try and fail to login with username: test and a random password, the request will look like this:


With a response timing of 6 milliseconds: 


Otherwise, trying to login with a valid username (taken from the default credentials) and invalid password, will take the device longer to answer us:


The server took considerably more time to process the request in comparison to the first login attempt: 


This behavior can be replicated consistently. Here we have a login attempt for username no_user:


Which took 7 milliseconds.
And again, attempting login with the valid username:


We can once more observe that the request took longer to process, 167 milliseconds, indicating that we hit a valid username.

Impact


A malicious user or attacker with local network access to the router’s web interface is able to enumerate valid usernames for either further bruteforce attacks, or to facilitate social engineering attacks. If the complete set of credentials is compromised then the attacker can alter most router configurations, block devices from accessing the network or change passwords.

What could have been done?

With this particular vulnerability, it is not clear whether the flaw comes from the hardware or software components. Although a timely and rigorous penetration test (such as provided by Balwurk’s CREST certified Penetration test services) could have detected security vulnerabilities such as these and prevented the deployment of vulnerable equipment.

References

https://en.wikipedia.org/wiki/Side-channel_attack

CWE – CWE-204: Observable Response Discrepancy (4.16)

User Enumeration Explained: Techniques and Prevention Tips | Rapid7 Blog