Introduction

Nowadays, wireless 4G connections are fairly popular way of connecting to internet. Most of the internet service providers provide at least some form of 4G-package and usually they also include a free 4G-modem along with the 4G-package. These free devices are usually just re-branded versions of other vendor’s devices. This blog post examines various vulnerabilities of a re-branded ZTE MF910 4G modem.
The research was started by connecting the ZTE-device to a computer normally and a connection was initiated in a way the manual instructed. A moment later, the administrative web-interface revealed itself with a default password of ‘1234’.
Screen Shot 2017-05-05 at 0.13.29.png

WAN-to-LAN-attack: Send SMS-messages by chaining CSRF, XSS, weak default credentials and another CSRF

The features provided by the web interface were examined and it was discovered that goform_set_cmd_process-functionality is used to send various commands to the modem. This functionality uses a single http-request in which various values are supplied with GET-parameters.
The available commands were then examined and one of the most interesting commands was possibility to send SMS messages to given phone numbers. This command however requires that the user is authenticated to the web interface. It also requires that the “Referrer”-header of the http-request matches IP-address of the modem, thus making CSRF-attacks which originate from third-party domain impossible.
Screen Shot 2017-05-05 at 0.15.18.png
Easiest way to bypass the previously mentioned protections would be finding XSS-vulnerabilities which allow sending requests with proper “Referrer”-value. Thus began the search for a XSS-vulnerability.
None were found in the goform_set_cmd_process, however a single reflected XSS was found in goform_get_cmd_process-functionality that is used to fetch data from the modem. The web interface uses GET-parameter named “cmd” to specify which command the functionality should execute. By inserting a malicious javascript-payload to this GET-parameter, the server places this payload to the http-response thus triggering an XSS on the web interface.
This XSS on the goform_get_cmd_process-functionality did not require any authentication and had no CSRF-protection, which made it a great initial attack point for further attacks.

Screen Shot 2017-05-05 at 0.57.45.png
Next by crafting a special javascript payload for the XSS, it could be instructed to send http-request towards the SMS-functionality. As the request was sent from a page hosted by the modem via XSS, the “Referrer”-header value is now set to modem’s IP-address thus allowing access to the command.
The SMS-functionality however still required that the user is authenticated. As the modem does not force users to change the default password and uses same password for every device, this was bypassed simply by using the XSS to send a login-request with default password.
However a new problem was encountered during the exploitation attempt. The XSS allowed only a short payload which did not have enough space for sending the login-request and the SMS-message. This was bypassed fairly easily by splitting the payload in half. A second-stage payload contains the javascript that sends the login-command and the SMS-command. This second-stage payload is hosted on an external domain. A very simple first-stage payload was then supplied to the initial XSS and its only purpose is to load the second-stage payload script.

Screen Shot 2017-05-05 at 0.50.03.png

First-stage payload

Screen Shot 2017-05-05 at 0.51.25.png

Second-stage payload

Finally, the exploitation succeeded and by executing a CSRF-attack from a page hosted in internet, the full exploit chain was executed and the SMS-messages were sent to phone numbers specified by the adversary. Exploitation of this kind of attack is fairly severe as it requires nearly no user interaction and the initial attack can begin from WAN-side.
https://youtu.be/BLIWNBp-u34
An example attack scenario would be for example, when the user clicks on a link on e.g Facebook, the payload will trigger and the exploit will login to the system and send tons of SMS messages to whichever number that adversary defined in the payload. This will then lead to a situation where monetary consequences are caused to the owner of the modem and the targeted phone number will be filled with spam-messages.
Pasted image at 2017_05_04 11_41 PM.png

Modem Takeover

In practice, a hacker will be able to change any settings from the MF910 device via the previously introduced CSRF-based exploit chain. For example, an adversary can hijack the web interface and take over the modem by using the exploit chain and the functionality which the modem uses for changing passwords.
Screen Shot 2017-05-05 at 0.52.49.png

Stored XSS

When creating new contacts, a “groupchoose”-parameter can be used to store malicious JavaScript payload in a contact that will be run each time contact page is opened.
Screen Shot 2017-05-05 at 1.04.47.png
This vulnerability is also exploitable via WAN-to-LAN-attack by using the previously introduced exploit chain.

Screen Shot 2017-05-05 at 1.03.36.png

Persistent denial-of-service

The goform_set_cmd_process-functionality contains a command “SET_WEB_LANGUAGE”, which is used to specify language of the web interface. By setting value of this command to fi”, brick, the modem will be bricked and the user canโ€™t access the web interface anymore. Only way to recover from this denial-of-service condition is to do a factory reset on the modem.
Screen Shot 2017-04-19 at 9.07.10.jpg
The vulnerability can be exploited through a simple CSRF, however it requires that the “Referrer”-header matches IP-address of the modem. Thus, the previously introduced exploit chain can be used to exploit also this in a WAN-to-LAN-attack.
Screen Shot 2017-05-05 at 0.54.08.png

Conclusion

Current state of security in IoT-devices seems miserable (“The S in IoT stands for security”). This product did not prove otherwise. However when these vulnerabilities were reported to the manufacturer, the manufacturer reacted very quickly and all findings were fixed within couple of days, so there is light at the end of the tunnel. New firmware versions which fix the vulnerabilities were released to the original device and to the re-branded devices.