exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novatel Wireless MiFi Cross Site Request Forgery

Novatel Wireless MiFi Cross Site Request Forgery
Posted Jan 18, 2010
Authored by Adam Baldwin

Novatel Wireless Mifi suffers from cross site request forgery, output encoding, gps enabling, and authentication vulnerabilities.

tags | advisory, vulnerability, csrf
SHA-256 | b07c73a7c1c8cca6d14d3e4157f32c6256bcf8e00e3240328484ee58d974ad1e

Novatel Wireless MiFi Cross Site Request Forgery

Change Mirror Download
The MiFi by Novatel Wireless (re-branded and sold by multiple vendors
such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also has
a built in GPS to provide location based searching.

Turns out that the web interface to this little device has a lot going
on that can be exploited, from gaining the user’s GPS data to
terminating the user’s connectivity. The POC isn't online yet due to
vendor lag but it's not all that complicated if you have a MiFi and a
few minutes.

*1. Authentication not required.*

The MiFi does not require a valid session to commit changes to
configuration settings. This makes exploiting the below issues a lot
easier when you don’t have to require that the victim have a valid session.

*2. Enable GPS without the users knowledge.*

The GPS on a MiFi can be enabled by visiting the following URL.
Depending on the situation the victim may get a alert that says “Login
Required” but if they are like the typical user they will simply click
on it and forget it ever happened.

*3. Cross-Site Request Forgery (CSRF)*

The web interface does not validate referrer or use any magical tokens
to protect against CSRF. This means that we can have a victim visit our
malicious website and do evil things like change the wireless settings
of the MiFi.

*4. Output Encoding
*

In multiple locations of the MiFi web interface user input is not
properly encoded when output back to the user. One interesting location
is the key field for the wifi settings. I’m wondering why the hell
somebody thought it was a good idea to print the wifi key in clear text
back to the user, and in this case it’s not properly encoded either
giving us a nice 63 character persistent injection point for script.

So for those that weren’t paying attention: Any MiFi user that visits a
specially crafted page will give up their GPS location to the attacker.

Here is a video clip for the Sprint MiFi (latest firmware) of the
working proof of concept.
http://evilpacket.net/2010/jan/14/mifi-geopwn/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close