EE 4GEE Wireless Router - Multiple Security Vulnerabilities Advisory ------------------------------------------------- Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83). Vulnerable Software Version: EE60_00_05.00_25. Patched Software Version: EE60_00_05.00_31. Product URL: https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi/details Proof of Concept Writeup: https://blog.jameshemmings.co.uk/2017/08/24/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities-writeup/#more-276 Disclosure Timeline: 27th July, 2017 at 21:32 GMT. Email sent with technical vulnerability information and PoC. 27th July, 2017 at 22:00 GMT. Response from EE devices manager, confirming receipt of PoC. 31th July, 2017 at 18:47 GMT. Update from vendor, patches being developed for reported issues. 1st August, 2017 at 10:43 GMT. Reply sent to vendor. 10th August, 2017 at 10:32 GMT. Update from vendor, patches still being developed. 18th August, 2017 at 12:11 GMT. Email sent to vendor asking for update/ETA. 18th August, 2017 at 12:15 GMT. Response from vendor, updates to be released on Monday. 18th August, 2017 at 12:30 GMT. Reply sent to vendor with device IMEI for online update process. 22nd August, 2017 at 15:54 GMT. Response from vendor, beta firmware released to verify changes. 23rd August, 2017 at 21:29 GMT. Reply sent to vendor, vulnerabilities successfully patched. 24th August, 2017 at 09:32 GMT. Response from vendor, patch publicly released to customers. 24th August, 2017 at 12:00 GMT. Full disclosure via Blog. ------------------------------------------------- Stored Cross Site Scripting (XSS) - SMS Messages: ------------------------------------------------- Attack Type: Remote Impact: Code Execution Affected Components: http://ee.mobilebroadband/default.html#sms/smsList.html?list=inbox http://ee.mobilebroadband/getSMSlist?rand=0.19598614685224347 Attack Vectors: An attacker can exploit the vulnerability by sending a remote SMS message to the device with an XSS payload such as "' which upon clicking on the text message within the web application is successfully executed. Additionally, due to the other vulnerabilities identified within this device, such vulnerability can be chained with Cross Site Request Forgery (CSRF) using the Stored XSS payload to send an JavaScript XHR POST request to the "uploadSettings" web-page containing binary configuration data, allowing for total modification of device settings by an attacker. CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 7.1 - High). Author: James Hemmings - security@jameshemmings.co.uk Reference(s): [1] https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities ------------------------------------------------- Cross Site Request Forgery (CSRF) - Multiple: ------------------------------------------------- Attack Type: Remote Impact: Code Execution Affected Components: http://192.168.1.1/goform/AddNewProfile?rand=0.376065695742409 http://192.168.1.1/goform/setWanDisconnect?rand=0.6988130822240772 http://192.168.1.1/goform/setSMSAutoRedirectSetting?rand=0.9003361879232169 http://192.168.1.1/goform/setReset?rand=0.021764703082234105 http://192.168.1.1/goform/uploadBackupSettings Attack Vectors: An attacker could attempt to trick users into accessing malicious CSRF payload URLs, which would allow an attacker to execute privileged functions such as device reset, device reboot, internet connection and disconnection, SMS message redirection and binary configuration file upload, which would allow modification of all device settings. Addtionally, this exploit can be chained together using other vulnerabilities discovered to be remotely exploitable over SMS, using Stored Cross Site Scripting (XSS). Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to multiple Cross Site Request Forgery (CSRF) vulnerabilities within various router administration web-pages, due to the lack of robust request verification tokens within requests. An attacker could persuade an authenticated user to visit a malicious website using phishing and/or social engineering techniques to send an CSRF request to the web application, thus executing the privileged function as the authenticated user. In this case, due to the lack of authentication on certain privileged functions, authentication may not be necessary. The following web-pages were identified to be vulnerable to Cross Site Request Forgery (CSRF) attacks: AddNewProfile [2]. setWanDisconnect [3]. setSMSAutoRedirectSetting [4]. setReset [5]. uploadBackupSettings [6]. CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 6.8 - Medium). Author: James Hemmings - security@jameshemmings.co.uk Reference(s): [1] https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities [2] https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/AddProfileCSRFXSSPoc.html [3] https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFInternetDCPoC.html [4] https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocRedirectSMS.html [5] https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/CSRF/CSRFPocResetDefaults.html [6] https://github.com/JamesIT/vuln-advisories-/blob/master/EE-4GEE-Multiple-Vulns/uploadBinarySettingsCSRFPoC.html ------------------------------------------------- JSONP Sensitive Information Disclosure - Multiple ------------------------------------------------- Attack Type: Remote Impact: Information Disclosure Affected Components: http://192.168.1.1/goform/getPasswordSaveInfo http://192.168.1.1/goform/getSingleSMSReport?rand=0.133713371337 http://192.168.1.1/goform/getSingleSMS?sms_id=1&rand=0.133713371337 http://192.168.1.1/goform/getSMSStoreState http://192.168.1.1/goform/getSMSAutoRedirectSetting http://192.168.1.1/goform/getSysteminfo http://192.168.1.1/goform/getUsbIP?rand=0.13371337 Attack Vectors: An attacker on the local network could escalate privileges from unauthenticated user, to authenticated administrative user by accessing the saved admin credentials within the JSONP endpoint. Additionally, an attacker could access network configuration data and SMS messages without authentication. Vulnerability Description: The 4GEE Mobile WiFi Router is vulnerable to multiple JSONP information disclosure vulnerabilities within various endpoints which retrieve and/or set data. The JSONP endpoints allow for unauthenticated information disclosure of sensitive configuration data, settings, administration passwords and SMS messages, due to the lack of robust and effective access control. An attacker could view such unauthenticated endpoints via the local WiFi network to gain access to the administration credentials, router configuration and/or SMS messages. CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (CVSS V3: 8.1 - High). Author: James Hemmings - security@jameshemmings.co.uk Reference(s): [1] https://blog.jameshemmings.co.uk/2017/08/21/ee-4gee-mobile-wifi-router-multiple-security-vulnerabilities ------------------------------------------------- Disclaimer ------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.