lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 30 Jun 2009 05:16:38 -0600
From: filip.palian@...stk.edu.pl
To: bugtraq@...urityfocus.com
Subject: Multiple Flaws in Huawei D100

Multiple Flaws in Huawei D100

by Filip Palian <filip (dot) palian (at) pjwstk (dot) edu (dot) pl

Description:
Huawei D100 is a device offered by the polish telecom operator - Play, to provide broadband Internet in CDMA technology and it's already widely in use.

Overview:
Huawei D100 firmware and its default configuration has flaws, which allows LAN users to gain unauthorized full access to device.

#1 No HTTPS support for the web interface
Communication to the web interface can be sniffed by the attacker.

#2 System doesn't force administrator to change default password upon first login
Many administrators leave it unchanged.

#3 Brute-force attack on admin account
Login attempts are not limited at all.

#4 Login and password stored in cookie
Admisnitrator's login and password are stored in a cookie in plain text.

#5 Wi-Fi enabled by default
Anyone can connect to the LAN without any problems.

#6 Wi-Fi encryption is disabled by default
Communication in the LAN can be sniffed by the attacker.

#7 SSID broadcast is enabled by default
Anyone can connect to the LAN without any problems.

#8 Partial information leakage
Unauthorized users have access to information stored on router when JavaScript is disabled in the browser. Examples:
http://192.168.1.1/en/lan_status_adv.asp
http://192.168.1.1/en/wlan_basic_cfg.asp
http://192.168.1.1/en/lancfg.asp

#9 Telnet service enabled by default
Anyone in LAN is able to log in using default admin:admin account with root privileges. There is no possibility to change this password (sic!). This account has nothing in common with the administrator account in web based managment console.

Status:
At the moment no fixes were provided by the vendor. As a workaround administrator should:
#1 change the default administrator password (still can be sniffed in LAN)
#2 enable Wi-Fi encryption
#3 turn on clients MAC addresses filtering
#4 turn off SSID broadcasting
#5 restrict access to telnet service using build-in firewall

Disclousure timeline:
23 VI 2009: Detailed information with examples, PoCs, terms of cooperation and the planned disclosure date sent to the vendor (ok@...ocplay.pl).
	: No response from the vendor.
29 VI 2009: Resend notification with an indication this will be the last attempt to responsibly disclose.
	: No response from the vendor.
30 VI 2009: Security bulletin released.
	Response: ?

Rationale:
The vendor hasn't responded at all. The bulletin was released in hope that users will be able to protect themselves against threats described above before vendor will realese fixes and before the bad guys will reach them first.

Links:
* http://playmobile.pl/
* http://www.huawei.com/


Best regards,
Filip Palian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ