While I was testing Huawei’s Home Gateway device, I discovered several serious vulnerabilities which puts Omantel’s ADSL users’ information and privacy at risk. The device is provided for free by Omantel to their ADSL subscribers.
To understand the vulnerability and how it is exploited, the following illustration shows the behavior of a typical Modem/Router:
As you can see, by default a Modem/Router blocks inbound connections to user’s public IP address unless the user allows such action. However, this is not the case with Huawei’s Home Gateway device:
Huawei’s Home Gateway device allows inbound connections to user’s public IP address which results in exposing device’s web interface to the Internet and most non-technical users don’t change their device’s web interface password which is by default set to “admin“.
Huawei’s Home Gateway device checks user’s credentials before displaying a page. For example if a user requests the following page without logging in first:
The device will display a message requesting username and password. This verification method is valid for file names with extension of .html. However, the verification method does not apply to file names with extension of .js and this is where the vulnerability lies. The device stores ADSL’s password in a .js file and an attacker can request the file directly:
- HUAWEI Home Gateway – HG520c
- HUAWEI Home Gateway – HG530
HUAWEI Home Gateway – HG532cHuawei PSIRT has confirmed that HG532c is not vulnerable.
- Older versions may also be affected
These vulnerabilities are critical, I was able to find more than 500 affected devices within few minutes during the test and this means there are thousands of users at risk. The vulnerability is not limited to password disclosure and can be used to execute complex attacks which can result in monitoring all web traffic, phishing attacks, backdooring / infecting websites visited by the user and more advanced attacks which I will cover in another post.
Exploit (Proof of Concept):
Screenshot of a full exploit used to scan multiple IP addresses within few minutes (Private Use):