Then the updater sends directly the files to the modem using 1280/tcp which will overwrite the MTD (Memory Technology Device, ie: flash storage) of the device without authentication:ġ/ telnet connection from the official tool (with admin:admin credentials by default): HGW login.
#Huawei router firmware versions update#
The updater tries to login using telnet (admin/admin) protocol to the modem in order to extract firmware versions (if the password is not admin, the update will continue and will work). The diag program running in the Huawei B260A replies by sending out information about the versions of the different components of the firmware. The program (FMC tool) provided by Tunisia Telecom (from Huawei) to update the firmware sends udp packet to the broacast port 1280 udp. Telnet: Unable to connect to remote host: Connection - Firmware upload without authentication: Remote DoS against the HTTP server without authentication: telnet 192.168.1.1 80Ĭonnection closed by foreign telnet 192.168.1.1 80
![huawei router firmware versions huawei router firmware versions](https://iforum-sg.c.huawei.com/dddd/images/2020/10/25/c86dbd66-1d24-470e-9e10-b93533db365c_s.jpg)
Details - Remote DoS without authentication This can easily be done using a CSRF attack.Īpparently, there are CSRF everywhere ( EVERYWHERE). Grab informations (wifi password, PPP passwords) without authentication: wget -qO. Get PPP passwords without authentication: wget -qO- ''|grep -i 'var profile' Grab wifi password without authentication: wget -qO- ''|less Second remote reboot without authentication: wget -qO-post-data='action=Apply&page=lancfg.asp' '' Remote reboot without authentication: wget -qO-post-data='action=Reboot&page=resetrouter.asp'
![huawei router firmware versions huawei router firmware versions](https://forum.openwrt.org/uploads/default/original/3X/a/3/a334903bda57b0af7c360fb542043bd3b3336f91.jpeg)
The cookie is: Cookie: Basic=admin:base64(password):0 Which allows context-dependent attackers to obtain sensitive information by(1) reading a cookie fileĪnd (2) sniffing the network for HTTP headers, and possibly (3) using unspecified other vectors. The Huawei B260A stores the administrator's account name and password in cleartext in a cookie (using base64), Note: This firmware seems to be used for these 14 Huawei devices (from ) which, therefore, are likely to be vulnerable to the same threats: The tests below are done using the last available firmware (firmware 846.11.15.08.115 - Feb 20 2013).
![huawei router firmware versions huawei router firmware versions](https://consumer-tkbdownload.huawei.com/ctkbfm/servlet/download/downloadServlet/H4sIAAAAAAAAAD2QS0_DMBCE_4vPBXn93OVUV0nUXhCHcq7c2AmW2rTKowgQ_x0nitjbaGf3G80Pm4bYH7_ukb0wYBsWbp_dKmWWTbrEV3-dZeyepuGUrr6NJ74MAFmSRGCf7127ut_8-DEfk2hibFASaNWQwaChjmhl0HhWvs7uc_o-hGzdu-3yG7S1XAiRV3Uf_Zhu3THNaDCclOSKQ4Zu2JDazo9TP4cq0SlnUNhKAphdVYHgFkFpox2UiAiSip1xQLyU3BRWirIAiSA0WaEwsx7-ksL7fwtjP8Ul29rC3rHfP8gZ5gImAQAA.png)
It's available in a lot of countries to provide Internet with a 3G network (Vodafone provides this device, for example). The device is provided by Orange Tunisia as a "Flybox". The Huawei B260A device is a 3g modem / access point overall badly designed with a lot of vulnerabilities. It is the largest telecommunications equipment manufacturer in the world. is a Chinese multinational networking and telecommunications equipment and services company.