Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User GeeTee
(committed) Wed 16-Apr-14 17:00:26
Print Post

Vodafone Mobile BB Huawei K4201


[link to this post]
 
Just out of idle curiosity I thought I would do some casual probing of this device. As a brief background the Huawei K4201 is a 2G/3G/3G+ MBB USB dongle that presents itself to the host computer as a network interface card, handling the PPP connection to the provider itself (rather than some others that act as a modem, relying on the host computer to make the outbound PPP connection). As such it acts as a NAT gateway.

Configuration wise, there is just a Vodafone branded web GUI, that once unlocked allows for configuration of the PPP parameters and that's about it.

Wondering whether there was perhaps a telnet or SSH daemon listening on the thing I ran nmap against it.

While that revealed no alternative configuration access ports, it did reveal something else. Along with the expected port 80, this showed up in the nmap results:

Text
1
23
45
67
89
1011
1213
1415
1617
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port50000-TCP:V=5.21%I=7%D=4/16%Time=534EA090%P=x86_64-unknown-linux-gnu%r(GetRequest,BD,"HTTP/1\.0\x20404\x20Not\x20Found\r\nSERVER:\x20PACKAGE_VSF:ERSION\x20HUAWEI,\x20UPnP,\x20HUAWEI\x20SDK\x20for\x20UPnP\x20devices/\
SF:x20\x20\r\nCONTENT-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<SF:html><body><h1>404\x20Not\x20Found</h1></body></html>")%r(HTTPOptions,C
SF:9,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nSERVER:\x20PACKAGE_VERSIONSF:\x20HUAWEI,\x20UPnP,\x20HUAWEI\x20SDK\x20for\x20UPnP\x20devices/\x20\x2
SF:0\r\nCONTENT-LENGTH:\x2054\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><SF:body><h1>501\x20Not\x20Implemented</h1></body></html>")%r(RPCCheck,C1,"
SF:HTTP/0\.0\x20400\x20Bad\x20Request\r\nSERVER:\x20PACKAGE_VERSION\x20HUASF:WEI,\x20UPnP,\x20HUAWEI\x20SDK\x20for\x20UPnP\x20devices/\x20\x20\r\nCO
SF:NTENT-LENGTH:\x2050\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><hSF:1>400\x20Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,BD,"HT
SF:TP/1\.0\x20404\x20Not\x20Found\r\nSERVER:\x20PACKAGE_VERSION\x20HUAWEI,SF:\x20UPnP,\x20HUAWEI\x20SDK\x20for\x20UPnP\x20devices/\x20\x20\r\nCONTEN
SF:T-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>40SF:4\x20Not\x20Found</h1></body></html>")


For those unfamiliar with nmap that doubtless looks like a load of garbage. But that's nmap hitting the port with an http request.

Deciphered it indicates that TCP port 50000 on the device is listening and reports itself as "Huawei SDK for UPnP devices".

While it is no great surprise that a NAT'ing device like this offers UPnP device support, that functionality is not mentioned in any of Vodafone's literature nor is it possible to configure or disable it (as many more savvy people do).

Not so much a security problem, more one of those "I didn't realise it even did that" things.

In an attempt to nobble the functionality I have configured the firewall on the server it is plugged into to drop all traffic on UDP 1900 and TCP 2869 as well as anything broadcast to IP: 239.255.255.250 - this I think should kill the UPnP control and discovery mechanisms should I ever enable a UPnP aware app or device on the LAN. Any thoughts or comments on this approach most welcome laugh

Anyways, this was just meant as a heads up for those who may care about such things laugh
  Print Thread

Jump to