Re: NSE: Credential disclosure in modems Huawei HG510, HG520x, HG530 and possibly others

[Paulino Calderon <paulino () calderonpale com>]

On 17/05/2012 08:03 p.m., Paulino Calderon wrote:
> Hi list,
>
> Here is my NSE script for detecting and extracting information from 
> vulnerable Huawei modems. I know that these modems are popular in 
> México (Over 2 million devices here), Spain, Italy, Ecuador and other 
> countries in south america but let me know if you know other ISPs 
> using them. I also know Colombia have a lot of them but they have 
> patched versions over there. This vulnerability was reported a long 
> time ago but ISPs don't seem interested in fixing it any time soon.
>
> description = [[
> Detects Huawei modems models HG530x, HG520x, HG510x and possibly 
> others that are vulnerable to a remote credential and information 
> disclosure vulnerability. It also extracts the PPPoE credentials
> and other interesting configuration values.
>
> Attackers can query the URIs "/Listadeparametros.html" and 
> "/wanfun.js" to extract sensitive information
> including PPPoE credentials, firmware version, model, gateway, dns 
> servers and active connections among other values.
>
> This vulnerability was discovered and reported by Adiaz from Comunidad 
> Underground de Mexico (http://underground.org.mx).
> ]]
>
> ---
> -- @usage nmap -p80 --script huawei-ppp-pwd.nse <target>
> -- @usage nmap -sV huawei-ppp-pwd.nse <target>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Here is the fixed version. UTF-8 characters got replaced somehow.

Cheers.

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

Attachment: huawei-hg5xx-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/