Linux ProjectX

Huawei bm622i Administrator Password Disclosure

Hacking Bm622i

I think some of you are are familiar with this device or modem. Huawei bm622i is the latest 4g wimax router used by Globe. It was released after Globe learned that the previous model which is Huawei bm622 can be exploited using mac cloning and that most forum members in symbianize.com know its Local File Disclosure under 192.168.1.1/html/management/account.asp.

Actually you can login to the HTTP of the router and use user as the username and password but it does not grant you administrator privileges.  I was very curious on how to obtain the administrator access of the this router. In fact there is a a tool today that generates the admin password after you provide the  mac address. But I’m not sure if it is really that effective though. The administrator privileges allows you to edit the advance settings of your router like VOIP settings, mac filtering, SSH and Telnet Access, QoS, etc.

And then one day, I stepped up and decided to take a look on the shell of the router through telnetting the gateway and login as wimax:wimax820. After that I typed sh, and now I’m into the shell… “Hello Busybox!”

Thus if you will issue ls -la, you will be able to see the files and directories like /bin, /proc, /web, etc. Then I moved to the bin directory and issued the command ls -la again. FYI, the bin directory contains important programs that the system needs to operate or work just like cat, grep, ls, ifconfig, ping, sh, tar, zcat ,etc. I was able to see a command which is cms and I was very curious what it is so I executed it and boooommm…scripts came popping up and saw this line: username=200*.

hacking bm622i

Looks like I just found the password( I didn’t include the email address of course)  of my router. And so I tried to use the password I just saw and login as admin. I just got in!

It’s A Security Disclosure and Very Risky!

Alright, what if a malicious guy is connected to your router or to your server that is using this kind of router? The answer is, it’s very dangerous because he can use it to tinker your router and he may change the settings of your device. So how to prevent this kind of disclosure? All you need to do is to login as admin and use the password you found under the cms script and go to the advance settings. Disable the telnet access and the SSH access. Secure your router now!

2 Comments

  1. Hi there author.. Well said in your blog about bm622i modem..so its better to leave behind the admin of the CPE..my concern is if you can spare sometime ticking on telnet and do me a favor..how can we change bm66i mac address??

    Reply

Leave a Reply