Huawei SOHO router information disclosure, cve-2013-6031 #3019

Merged
merged 1 commit into from Jan 24, 2015

Conversation

Projects
None yet
7 participants
Contributor

aczire commented Feb 21, 2014

Add VU#341526 (CVE-2013-6031): Huawei Datacard Information Disclosure vulnerability.

+ [
+ OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin']),
+ OptBool.new('GAP', [false, 'Attempt admin password reset using wifi password.', false]),
+ ], self.class)
@jvennix-r7

jvennix-r7 Mar 6, 2014

Contributor

where are these options used?

+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, CSRF Information Disclosure Vulnerability",
@jvennix-r7

jvennix-r7 Mar 6, 2014

Contributor

Is this a CSRF exploit?

@aczire

aczire Mar 6, 2014

Contributor

Hi,

Yes, the vulnerability is csrf. Since there is no csrf protection we can
try some bruteforcing also.

The options are for bruteforcing the web interface password using a simple
scheme, just try to see whether it is same as that of WiFi key. Thatz all,
the bruteforcing method got removed later, need to remove the options as
well.

Let me know u'r comments.

Thanks,
On Mar 6, 2014 8:47 PM, "jvennix-r7" notifications@github.com wrote:

In modules/auxiliary/admin/huawei/huawei_wifi_info.rb:

@@ -0,0 +1,506 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+

  • include Msf::Exploit::Remote::HttpClient
  • def initialize(info={})
  • super(update_info(info,
  •  'Name'           => "Huawei Datacard, CSRF Information Disclosure Vulnerability",
    

Is this a CSRF exploit?

Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/3019/files#r10345311
.

@aczire

aczire Mar 8, 2014

Contributor

It seems some one else has also found the same thing at the same time.
http://packetstormsecurity.com/files/125598
On Mar 6, 2014 9:35 PM, "Jimson K James" tomsmaily@aczire.com wrote:

Hi,

Yes, the vulnerability is csrf. Since there is no csrf protection we can
try some bruteforcing also.

The options are for bruteforcing the web interface password using a simple
scheme, just try to see whether it is same as that of WiFi key. Thatz all,
the bruteforcing method got removed later, need to remove the options as
well.

Let me know u'r comments.

Thanks,
On Mar 6, 2014 8:47 PM, "jvennix-r7" notifications@github.com wrote:

In modules/auxiliary/admin/huawei/huawei_wifi_info.rb:

@@ -0,0 +1,506 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+

  • include Msf::Exploit::Remote::HttpClient
  • def initialize(info={})
  • super(update_info(info,
  •  'Name'           => "Huawei Datacard, CSRF Information Disclosure Vulnerability",
    

Is this a CSRF exploit?

Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/3019/files#r10345311
.

@jvazquez-r7

jvazquez-r7 May 30, 2014

Contributor

As @aczire I dont think this module is exploiting CSRF, since it's interacting with the server directly, without any user/browser interaction. So I would ask to delete the CSRF from the title here. (Even when probably the app could be vulnerable to CSRF, this module isn't abusing it).

Contributor

kernelsmith commented Mar 20, 2014

@aczire can you add a description to your pull request, it's very unlikely to get merged w/o one. Also, you can get some hints for writing a good description form CONTRIBUTING.md

Contributor

wvu-r7 commented May 14, 2014

@aczire: Please complete review.

Contributor

aczire commented May 15, 2014

@kernelsmith Does that mean I need to rewrite the description? Added description pull request anyway. @jvennix-r7 option to set Password bruteforce has removed from the module. @wvu-r7 Please let me know if anything else needs to be done.

Contributor

jvazquez-r7 commented May 30, 2014

Module ins't msftidy compliant, should be fixed msftidy compliant before we can't go ahead. thanks!

+ {
+ 'method' => 'GET',
+ 'uri' => '/api/wlan/security-settings',
+ }, 25)
@jvazquez-r7

jvazquez-r7 May 30, 2014

Contributor

Please allow send_request_raw to sue use its default timeout unless there is a good reason to modify it.

Contributor

jvazquez-r7 commented May 30, 2014

Please report interesting information to the database, see Msf::Auxiliary::Report

@todb-r7 todb-r7 added the module label May 30, 2014

@aczire aczire changed the title from Huawei SOHO router information disclosure and csrf, cve-2013-6031 to Huawei SOHO router information disclosure, cve-2013-6031 Jun 4, 2014

+ super(update_info(info,
+ 'Name' => "Huawei Datacard, Information Disclosure Vulnerability",
+ 'Description' => %q{
+ This module exploits an un-authenticated information disclosure vulnerability (CWE-425) in Huawei
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

Metasploit modules support CWE as references. So it's better to add a reference than write it in the description.

+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Huawei Datacard, Information Disclosure Vulnerability",
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

Huawei Datacard Information Disclosure Vulnerability

+ 'Author' =>
+ [
+ 'Jimson K James.',
+ 'tomsmaily [at] aczire.com', #Msf module
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

No spaces around [at]: tomsmaily[at]aczire.com

+ 'References' =>
+ [
+ [ 'CVE', '2013-6031' ],
+ [ 'URL', 'http://www.kb.cert.org/vuls/id/341526' ],
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

['US-CERT-VU', '341526']

+
+ register_options(
+ [
+ Opt::RHOST("mobilewifi.home")
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

Is it hardcoded name for the device or something like that?

@aczire

aczire Aug 5, 2014

Contributor

yup, router's internal DNS resolver resolves this to local router ip.

@wvu-r7

wvu-r7 Aug 5, 2014

Contributor

Cute. Kinda like routerlogin.net.

@aczire

aczire Aug 13, 2014

Contributor

yup, the Huawei way!

+ })
+
+ #check whether we got any response from server and proceed.
+ if not res
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

unless res

+ end
+
+ #Is it a HTTP OK
+ if (!(res.code == 200))
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

unless res.code == 200

+ get_router_dhcp_info
+ print_status("")
+
+ print_status("Now trying to get WiFi Key details...")
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

I've the feeling it should be a method too.

+ 'uri' => '/api/device/information',
+ })
+
+ #check whether we got any response from server and proceed.
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

You make the same checks for every response -> res, code, Server header. Worths to refactor to not having the code copied on several places.

+ print_status("---===[ Basic Information ]===---")
+
+ # Grabbing the DeviceName
+ if res.body.match(/<DeviceName>(.*)<\/DeviceName>/i)
@jvazquez-r7

jvazquez-r7 Aug 4, 2014

Contributor

All the module keeps repeating the same code again and again. I think worths to reafctor. You can use a dictionary of Regexs and loop on every entry to find the information on the responses. Also worths to use a method to find the information, so you don't need it to repeat the code again and again.

You can use constants to store the dictionary of regexs, since I guess it's going to be static information.

@todb-r7 todb-r7 added the feature label Nov 11, 2014

Contributor

hdm commented Dec 12, 2014

Given how long this has been in the queue and how much work needs to be done, we should consider closing this for now and revisiting it in the future once the module has been cleaned up.

Contributor

hdm commented Dec 12, 2014

Assigning to @jvazquez-r7 since the previous feedback was all his. I can take it otherwise.

Contributor

todb-r7 commented Jan 21, 2015

So, this has Unstable written all over it. Juan made a lot of suggestions, the contributor never responded, we don't appear to have the gear to test.

@jvazquez-r7 will implemented his suggestions and unless @aczire (or anyone else!) shows up to test the changes, it'll get shuttled up to Unstable until someone cares to test.

jvazquez-r7 added a commit to jvazquez-r7/metasploit-framework that referenced this pull request Jan 23, 2015

@jvazquez-r7 jvazquez-r7 referenced this pull request in aczire/metasploit-framework Jan 23, 2015

Merged

Clean Huawei SOHO router information disclosure #1

Contributor

jvazquez-r7 commented Jan 23, 2015

Hello @aczire , aczire#1 rebases (updates) your branch and cleans up your module. There a lot of commits, only the last ones are modifications to your code.

Please feel free to review the changes and ask if you have any doubts or you would like to discuss any point. Once ready, land in your repository and this pull request will be automatically updated. Please test the modules with changes, because I just fixed code, I hadn't a device for testing. So maybe I've wasted something, please check/test carefully

Then we'll need network captures and screenshots showing the module with changes working. And it will be ready to go! Network captures / screenshots can be sent to msfdev[at]metasploit.com

Thank you!

Contributor

aczire commented Jan 24, 2015

@todb-r7 @jvazquez-r7 apologies for the delay. You know, personal things and work takes the most priority. Well, thanks alot for showing interest in this module. Will do the testing and report back shortly.

Merge pull request #1 from jvazquez-r7/rebase_3019
Clean Huawei SOHO router information disclosure
Contributor

jvazquez-r7 commented Jan 24, 2015

@aczire thanks for landing aczire#1 , please remember to send traffic capture and screenshot of module working to msfdev[at]metasploit.com for validation and it will be ready to go! :) Thanks!

Contributor

aczire commented Jan 24, 2015

@jvazquez-r7 Just sent a mail to msfdev with the screenshots and packet capture. Could you please take a loook at it and let me know if anything amiss?? Thanks...

Contributor

jvazquez-r7 commented Jan 24, 2015

Thanks @aczire , got the email. I'll review materials along the day and will update it if something is missing, will land otherwise :)

@jvazquez-r7 jvazquez-r7 merged commit 6ec3e65 into rapid7:master Jan 24, 2015

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

jvazquez-r7 added a commit that referenced this pull request Jan 24, 2015

Contributor

jvazquez-r7 commented Jan 24, 2015

Data looks good, landed, thanks @aczire !

Contributor

aczire commented Jan 24, 2015

Nice to see the module landed. Thanks alot @jvazquez-r7 for making this happen.

For any one looking out to use the module, leverage the XSS vulnerability (CVE-2014-2968) in the SMS interface to get this module running against the datacard.
It seems other related datacards from Huawei are also vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment