Software Engineering Institute

The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device.

1. The Huawei E585 pocket wifi 2 device Admin Authority Authentication bypass (HWNSIRT-2012-1029) CVE-2012-5968:
Huawei E585 pocket wifi 2 device fails to check the login status of admin sessions, which leads to an attacker being able to bypass the admin authority authentication allowing them access to the protected files and configure the device. This can lead to the leak and tampering of the non-shared user data and the disclosure of the session ID, allowing the attacker to configure the devices by authentication with the session ID which can be obtained by the attacker. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

2. The Huawei E585 pocket wifi 2 device directory traversal (HWNSIRT-2012-1030) CVE-2012-5969:
Huawei E585 pocket wifi 2 device fails to restrict the access path of the files. Attackers can modify the path of the files manually giving them access to the system files to further access the protected files or write arbitrary files into the system. Before the system interface is invoked, the web server module of Huawei E585 pocket wifi 2 device fails to strictly check the validity of the file names and the paths of the files which are contained in the request packets on the LAN side. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

Examples requests:
curl -X GET  http://192.168.1.1/sdcard/..%2f..%2f"$1"
curl -X POST -d "action=request_page&page=sms.asp&req_page=../../../$1" http://192.168.1.1/en/sms.cgi

3. The Huawei E585 pocket wifi 2 device null pointer denial-of-service (HWNSIRT-2012-1031) CVE-2012-5970:
Huawei E585 pocket wifi 2 device crashes when analyzing specific packets (such as the packets which are sent by vulnerability scanning software), the HTTP request segment in the packets can cause a character string pointer in the code (the return value of the character matching function and the character string pointer used in the login authentication function) to be set to Null, which the underling code fails to check whether the value of this pointer is null or not, causing a segment fault, which can cause the devices to become unable to respond and fail to function normally.

An attacker with access to the Huawei E585 pocket wifi 2 device web interface can conduct multiple attacks, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Update

The vendor has released updated versions of the device software. For update information see Huawei-SA-20121124-1-E585 and Huawei-SA-20121203-1-E585.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Huawei E585 pocket wifi 2 web interface using stolen credentials from a blocked network location.