Remote credential and configuration disclosure of Huawei HG5XX devices using Nmap.
A new NSE script called "http-huawei-hg5xx-vuln" has been added to Nmap which exploits a couple of vulnerabilities found in Huawei HG5XX modems.
I have added a NSE script called "http-huawei-hg5xx-vuln" which exploits a couple of vulnerabilities found in Huawei HG5XX modems.
The first vulnerability which allows an attacker to extract the router's configuration file, was found by Pedro Joaquín of Websec. The second vulnerability lets the attacker extract the PPPoE password and was reported by ADiaz.
The information extracted by "http-huawei-hg5xx-vuln" is:
- PPPoE credentials
- Model
- Firmware version
- Gateway IP
- DNS 1 and 2
- Network segment
- Active Ethernet and WiFi connections
- BSSID
To obtain the Huawei HG5XX's PPPoE credentials and configuration file with Nmap we can use the following command:
$nmap -p80 --script http-huawei-hg5xx-vuln <IP>
If the device is vulnerable:
Here you can see a video demonstrating "http-huawei-hg5xx-vuln" in action:
References
- https://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
- https://seclists.org/nmap-dev/2012/q2/346
- https://routerpwn.com/#huawei
Subscribe to our Newsletter
Get the latest cybersecurity insights and updates delivered to your inbox.