HG8245H Authentication Bypass

in this article I will show in a high level details about an authentication bypass which i found in HG8245H FTTH Routers(Fiber To The Home) during a penetration test.

so i had the firmware for the device and started analyzing the file system using binwalk to extract the image. and started reading some of the source code.

while checking the source code i found that some CGI scripts are being called from inside the code, however for some reason these scripts wasn’t there in the binwalk output, so i ran burp and did discover content for all pages of the router and found that there are some CGI request are being called by the application.

next i thought to try to send some of these CGI request without any authentication and surprisingly it worked.

so i looked more and found a CGI request that calls any page inside the router, so mainly this cgi request allows us to read any page we want, we can have information page, we can read the page which has PPPPOE configuration, we can read active connection on the wireless, basically anypage we like.

Gr8 we confirmed our vulnerability. next i wanted to check if this vulnerability exists in all HG8245H Router i had here during the Penetration test or it affects other routers.

so i ran shodan , searched for HG8245H Routers nearly a hundred router appeared, i then ran my exploit and called the Information page, and indeed it’s presented and i could read version,serial number,….etc.

Normaly in these routers the password is unique for each device by makeing the last 8 digit in the serial number the password, so i tried to login with admin and it succeeded.

Finally of course i sent Huawei and Huawei fixed it according to below Email. so i encourage all FTTH Routers owner out there to patch the vulnerability .

24129714_1789936177684240_7540711822629942504_n.jpg

 

 

 

2 thoughts on “HG8245H Authentication Bypass”

Leave a Reply

Your email address will not be published. Required fields are marked *