Huawei HG8245H router “privilege escalation”…Part I

This is a prequel to this post here

Well, I got to play around with my router a few weeks ago. My router, a Huawei HG8245H version, is pretty decent for home use.

First things first, the login password is smack on the bottom of router as below.


Most routers have a well known default password, infact there are multiple sites dedicated to document that. So I got curious to know what info I could get using these credentials.

A quick google search says that the user root/admin is a normal user with the telecomadmin/admintelecom being the super user. Funny enough, I was unable to log in using the admintelecom/telecomadmin set of credentials. The superuser account allows a user to have access to other options, notably backup configuration settings, edit and load router config file etc.

An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work. So how do we bypass this?

Proof of concept:

  1. Enter web interface ( using root/admin credentials
  2. Reboot the router.
  3. Disconnect fibre cable as it restarts
  4. As it restarts, try to log in on as telecomadmin/admintelecom

Voila! You are in, as superadmin, with more options to tweak the router 😀

telecomadmin login

        5. To elevate your normal user root to superadmin status. Download router config file           from System Tools > Configuration File.. This  file named “hw_ctree.xml” is                             encrypted and appears as below:


Fortunately, we can decrypt the router config file using any aes decryption tool.

6. Proceed to decrypt as below:


and here we have our plaintext config file:

interesting users

For this post, our area of concern would be the part highlighted below:

2more users

Notice the different userlevels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is superadministrator.

        7. Edit the root user line to userlevel 0. Save file and decrypt it

        8. Log in to our web interface, upload the new config file and restart router.

       9.Once restarted, log in as root/admin, and enjoy the new options available  🙂

I called up Huawei to notify them of this and after a rather lengthy discussion they finally emailed me: “We will not track this issue as a vulnerability. If you still have some different option please never hesitate to contact us. Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again.”

I would,however like to thank Huawei’s quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.

Find Part II here

5 thoughts on “Huawei HG8245H router “privilege escalation”…Part I

  1. unfortunately, as soon as config file is pushed on to the ONT session expires and login screen loaded. ideas ?


  2. ola, não consegui acessar a conta superusuário fiz todos os procedimentos, mas não entrou….o medelo do meu roteador é huawei HG8121H


  3. I think they somehow patched it now… I can’t even reset my router.. it patitially resets but user is same as before.. password same too


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: