Monday, July 15, 2013

Huawei Mobile Hostpot remote root code execution by SMS (user-triggered)

Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities in WebUI; an XSS and a command injection.
The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically crafted SMS.
The vendor has been notified on the 2013/03/18.
  • Huawei WebUI XSS in SMS inbox page
In /js/main.js, function smsReplaceData() is used to escape HTML tags in incoming SMS before displaying them in the UI.
But a specifically crafted SMS can bypass this flawed function and inject HTML tags in SMS inbox page:
</Content><Index>0'/><![CDATA[<script type="text/javascript">alert(1);</script><input type="checkbox" id='x]]></Index><Content>Coucou, tu veux voir ma balise ?
This XSS is executed when the user browses to SMS inbox page. The device has a notifying icon on its tiny screen to alert user of incoming SMS.

  • Huawei WebUI Shell injection (CVE-2013-2612)
The HTTP endpoint "/api/device/time" in WebUI is vulnerable to shell command injection. This allows code execution with root privileges.
javascript:saveAjaxData("api/device/time","<?xml ?><request><Month>;mkdir </Month><Day>/tmp/A #</Day><Hour></Hour><Min></Min><Year></Year><Sec></Sec></request>");
You need to split your shell command into children of <request> node in order to respect the 7 chars limit for each child nodes.

Now, you may try to combine them.

3 comments:

  1. Nice work dude !
    Is there any kind of authentication, at least for the second vulnerability?

    Have you try rooting the device?

    I particularly like the SMS-triggered XSS, really nice vector !

    ReplyDelete
  2. Thanks!

    Nope, there is no authentication.
    And injected commands are run as root.

    But if you have access to the Web UI, you can backup the configuration (sqlite file), set 'telnet' row to 1, and restore the altered config file. A telnetd service will be started at boot. With empty password.

    ReplyDelete
  3. Really nice post, you got great blog and Thank you for sharing This excellently written content. Waiting for next one.
    Acer Laptops

    ReplyDelete