Request module for Huawei Flybox B660 Auth Bypass

[geosphere]

Huawei Flybox B660 Router 3G/4G PoC testing in 1066.11.15.02.110sp01 software.

The vulnerability can be exploited by remote attackers without privileged user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

After buying a Flybox Huawei B660, the company setup a password for you like: "admin", "12345" or "55555" We figured out that when you lose your password, you can perform to connect multiple times by using the plain passwords above. After the third request the connection will be refused by an exception message, by intercepting the request and passing the error it is possible to bypass the authentication mechanism of the 3g/4g router device. The problem in Flybox Huawei B660 is the following, there is no test if the password false or true. If an attacker tries the false password of many times on requests they redirect you after the bypass of the error to change your password permanently.

More...

[0BuRner]

Hi thanks for you submission. I don't think it's possible to write and automatic exploit code for this vulnerability as it. We need more information about the data sent when trying to login : what are the input name for admin and password input field (and possible others data like cookie/csrf token/...) and what's the url called when pressing "Connect" button ? This is the steps explained in that report but those data are missing...

[fwkz]

@geosphere Are you an happy owner of Huawei Flybox B660 Router 3G/4G? We could start development if we know we have device where we can test our PoC.