However a new problem was encountered during the exploitation attempt. As the modem does not force users to change the default password and uses same password for every device, this was bypassed simply by using the XSS to send a login-request with default password. The SMS-functionality however still required that the user is authenticated. As the request was sent from a page hosted by the modem via XSS, the “Referrer”-header value is now set to modem’s IP-address thus allowing access to the command. Next by crafting a special javascript payload for the XSS, it could be instructed to send http-request towards the SMS-functionality. This XSS on the goform_get_cmd_process-functionality did not require any authentication and had no CSRF-protection, which made it a great initial attack point for further attacks. By inserting a malicious javascript-payload to this GET-parameter, the server places this payload to the http-response thus triggering an XSS on the web interface.
The web interface uses GET-parameter named “cmd” to specify which command the functionality should execute. None were found in the goform_set_cmd_process, however a single reflected XSS was found in goform_get_cmd_process-functionality that is used to fetch data from the modem. Thus began the search for a XSS-vulnerability. It also requires that the “Referrer”-header of the http-request matches IP-address of the modem, thus making CSRF-attacks which originate from third-party domain impossible.Įasiest way to bypass the previously mentioned protections would be finding XSS-vulnerabilities which allow sending requests with proper “Referrer”-value. This command however requires that the user is authenticated to the web interface. The available commands were then examined and one of the most interesting commands was possibility to send SMS messages to given phone numbers. This functionality uses a single http-request in which various values are supplied with GET-parameters. The features provided by the web interface were examined and it was discovered that goform_set_cmd_process-functionality is used to send various commands to the modem.
WAN-to-LAN-attack: Send SMS-messages by chaining CSRF, XSS, weak default credentials and another CSRF A moment later, the administrative web-interface revealed itself with a default password of ‘1234’. The research was started by connecting the ZTE-device to a computer normally and a connection was initiated in a way the manual instructed. These free devices are usually just re-branded versions of other vendor’s devices. This blog post examines various vulnerabilities of a re-branded ZTE MF910 4G modem. Most of the internet service providers provide at least some form of 4G-package and usually they also include a free 4G-modem along with the 4G-package. Nowadays, wireless 4G connections are fairly popular way of connecting to internet.
0 kommentar(er)
