Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-huawei-hg5xx-vuln

Script types: portrule
Categories: exploit, vuln
Download: http://nmap.org/svn/scripts/http-huawei-hg5xx-vuln.nse

User Summary

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.

This script exploits two vulnerabilities. One was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx) and it allows attackers to extract the pppoe password. The configuration disclosure vulnerability was discovered by Pedro Joaquin (http://hakim.ws).

References: *http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure *http://routerpwn.com/#huawei

Script Arguments

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

unittest.run

See the documentation for the unittest library.

Example Usage

  • nmap -p80 --script http-huawei-hg5xx-vuln <target>
  • nmap -sV http-huawei-hg5xx-vuln <target>
    

Script Output

PORT   STATE SERVICE VERSION
80/tcp open  http    Huawei aDSL modem EchoLife HG530 (V100R001B122gTelmex) 4.07 -- UPnP/1.0 (ZyXEL ZyWALL 2)
| http-huawei-hg5xx-vuln:
|   VULNERABLE:
|   Remote credential and information disclosure in modems Huawei HG5XX
|     State: VULNERABLE (Exploitable)
|     Description:
|       Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure.
|       Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
|       including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values
|     Disclosure date: 2011-01-1
|     Extra information:
|
|   Model:EchoLife HG530
|   Firmware version:V100R001B122gTelmex
|   External IP:xxx.xxx.xx.xxx
|   Gateway IP:xxx.xx.xxx.xxx
|   DNS 1:200.33.146.249
|   DNS 2:200.33.146.241
|   Network segment:192.168.1.0
|   Active ethernet connections:0
|   Active wireless connections:3
|   BSSID:0xdeadbeefcafe
|   Wireless Encryption (Boolean):1
|   PPPoE username:xxx
|   PPPoE password:xxx
|     References:
|       http://routerpwn.com/#huawei
|_      http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]