Skip to main content
Websec Logo
Medium May 13, 2010

Huawei EchoLife HG520 Remote Information Disclosure

Huawei EchoLife HG520 modems are vulnerable to a remote information disclosure vulnerability. This vulnerability can be exploited by sending a specially crafted UDP packet that causes the modems to return sensitive information in clear text form.

CVSS Score

5.3 / 10.0

Severity

Medium

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Advisory

DeviceHuawei EchoLife HG520
Firmware3.10.18.7-1.0.7.0, 3.10.18.5-1.0.7.0, 3.10.18.4
SoftwareV100R001B120Telmex, V100R001B121Telmex
Websec AdvisoryWS10-10

Description

A specially crafted UDP packet causes the modem to remotely disclose software and firmware versions, the MAC address, local and remote IP addresses, the device model, and PPPoE credentials in clear text.

Proof of Concept

A working exploit is provided as a Python / Scapy / tcpdump script:

# Local target
python udp520.py

# Remote target
python udp520.py <target-ip>

If no response packet is visible, capture with Wireshark. If No module named all is raised, install Scapy from source.

Remediation

Filter inbound UDP traffic to the affected services on the WAN side.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

Severity:
CVSS: 8.0
View advisory
View All Advisories