This is a prequel to this post here
Well, I got to play around with my router a few weeks ago. My router, a Huawei HG8245H version, is pretty decent for home use.
First things first, the login password is smack on the bottom of router as below.
Most routers have a well known default password, infact there are multiple sites dedicated to document that. So I got curious to know what info I could get using these credentials.
A quick google search says that the user root/admin is a normal user with the telecomadmin/admintelecom being the super user. Funny enough, I was unable to log in using the admintelecom/telecomadmin set of credentials. The superuser account allows a user to have access to other options, notably backup configuration settings, edit and load router config file etc.
An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work. So how do we bypass this?
Proof of concept:
- Enter web interface (http://192.168.100.1) using root/admin credentials
- Reboot the router.
- Disconnect fibre cable as it restarts
- As it restarts, try to log in on http://192.168.100.1 as telecomadmin/admintelecom
Voila! You are in, as superadmin, with more options to tweak the router 😀
5. To elevate your normal user root to superadmin status. Download router config file from System Tools > Configuration File.. This file named “hw_ctree.xml” is encrypted and appears as below:
Fortunately, we can decrypt the router config file using any aes decryption tool.
6. Proceed to decrypt as below:
and here we have our plaintext config file:
For this post, our area of concern would be the part highlighted below:
Notice the different userlevels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is superadministrator.
7. Edit the root user line to userlevel 0. Save file and decrypt it
8. Log in to our web interface, upload the new config file and restart router.
9.Once restarted, log in as root/admin, and enjoy the new options available 🙂
I called up Huawei to notify them of this and after a rather lengthy discussion they finally emailed me: “We will not track this issue as a vulnerability. If you still have some different option please never hesitate to contact us. Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again.”
I would,however like to thank Huawei’s quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.
Find Part II here