Skip to content

V1n1v131r4/HGB10R-2

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

HGB10R-2

Exploiting Router Humax Wireless Voice Gateway HGB10R-2

On this PoC i published the CVEs below:

CVE-2019-19889: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19889

CVE-2019-19890: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19890

Admin Credentials on HTTP Request

This is a Proof of Concept on how to get the Humax HGB10R-2 router admin credentials when sniffing the HTTP traffic packets.

In Brazil this router is available from ISP NET and is present in most homes.

Using Wireshark for packet capture and a Firefox browser to access the router management panel, it was possible to realize that admin credentials were passed using Basic Authentication (Base64-encoded only), as shown in the images below:

Kali

HGB10R-2

Wireshark

PoC on Video:

HGB10R-2

Admin Credentials on Backup File

Another vulnerability (which has been around since the HG100 2.0.6 release as per CVE-2017-7317) is that an attacker could gain router admin credentials and Wi-Fi credential by having access to backup file as per images below:

Admin on bkp file

Base64

Wi-Fi Pass

About

Exploit Modem Humax HGB10R-2

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published