Language: English | عربي

Blog

Multiple vulnerabilities in HUAWEI’s device puts Omantel users at risk!

Overview

While I was testing Huawei’s Home Gateway device, I discovered several serious vulnerabilities which puts Omantel’s ADSL users’ information and privacy at risk. The device is provided for free by Omantel to their ADSL subscribers.

First Vulnerability:

To understand the vulnerability and how it is exploited, the following illustration shows the behavior of a typical Modem/Router:
Routers Diagram

As you can see, by default a Modem/Router blocks inbound connections to user’s public IP address unless the user allows such action. However, this is not the case with Huawei’s Home Gateway device:
Huawei Router Diagram

Huawei’s Home Gateway device allows inbound connections to user’s public IP address which results in exposing device’s web interface to the Internet and most non-technical users don’t change their device’s web interface password which is by default set to “admin“.

Second Vulnerability:

Huawei’s Home Gateway device checks user’s credentials before displaying a page. For example if a user requests the following page without logging in first:
http://192.168.1.1 /rpSysStatus.html

The device will display a message requesting username and password. This verification method is valid for file names with extension of .html. However, the verification method does not apply to file names with extension of .js and this is where the vulnerability lies. The device stores ADSL’s password in a .js file and an attacker can request the file directly:
http://192.168.1.1 /wanfun.js

Affected Devices:

  • HUAWEI Home Gateway – HG520c
  • HUAWEI Home Gateway – HG530
  • HUAWEI Home Gateway – HG532c Huawei PSIRT has confirmed that HG532c is not vulnerable.
  • Older versions may also be affected

Vulnerabilities Impact:

These vulnerabilities are critical, I was able to find more than 500 affected devices within few minutes during the test and this means there are thousands of users at risk. The vulnerability is not limited to password disclosure and can be used to execute complex attacks which can result in monitoring all web traffic, phishing attacks, backdooring / infecting websites visited by the user and more advanced attacks which I will cover in another post.

Exploit (Proof of Concept):

Click here to download the exploit

Screenshot of a full exploit used to scan multiple IP addresses within few minutes (Private Use):

Huawei HG5xx Exploit

About Author

Jafer Al ZidjaliJafer is a security professional with over 10 years of experience. His expertise ranges from Penetration Testing, Web Application Security, Vulnerability Research and Exploit Development