Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
CVE-2018-9111 and CVE-2018-9112 Foxconn FEMTO XSS and without Validation and Integrity Checking

CVE-2018-9111

[Suggested description] Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting user's browser.

[Vulnerability Type] Cross Site Scripting (XSS)

[Vendor of Product] Foxconn Electronics Inc.


[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15


[Affected Component] Web management page

[Attack Type] Remote

[Impact Code execution] true


[Discoverer] CFL Lab

CVE-2018-9112

[Suggested description] A low privileged account with a weak default password exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.


[VulnerabilityType Other] CWE-565: Reliance on Cookies without Validation and Integrity Checking

[Vendor of Product] Foxconn Electronics Inc.


[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15


[Affected Component] affect whole web management page

[Attack Type] Remote


[Impact Escalation of Privileges] true


[Attack Vectors] modify cookies.

[Discoverer] CFL Lab

@ChuanYuan-Huang

This comment has been minimized.

Show comment Hide comment
@ChuanYuan-Huang

ChuanYuan-Huang May 10, 2018

When login into the web interface of Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 there had Cross Site Scripting occur.
The attacker can input some html code to cause Cross Site Scripting.

亞太電信的魔速方塊是由鴻海集團所製造的毫微微型基地台,在FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15此版韌體中,發現有跨站腳本攻擊的現象發生。

001
002

A low privileged account with a weak default password exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
在亞太電信魔速方塊版本FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15中,存在著一個風險,有心人士可以藉由低權限的網頁管理帳號透過更改cookies提權至高權限的管理帳號。在此案例中,使用者可以輸入預設低權限的帳號「admin/admin」登入系統。

There had some accounts with different privileges on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15.
The account “admin” with low privileges of the web interface.
The account “foxconn” with highest privileges of the web interface.
Use “admin” to login. (admin/admin)

003

We can see the account “admin” can read some config data, but it could not modify any setting here.
雖然叫做「admin」但是實際上只能觀看網頁內容,不能修改任何參數。

004
005

Then we use the account “foxconn” to login. We can see some difference between “admin”.
接著我們使用網頁管理介面最高權限帳號「foxconn」登入,網頁中顯示的內容較「admin」登入時多出許多。使用該帳號確實能更改裡面的參數。

006

And we can do some change with the config data just like …

007

We can see the Cookie which is using “admin” to login.
以下是使用帳號「admin」登入的封包內容。

008

And this one is using “foxconn” to login
以下是使用帳號「foxconn」登入的封包內容。

009

I guess it maybe not had any identification to check the accounts. So I gain privileges by modifying cookies. (Mode=low => Mode=ENG)

本團隊猜測此設備應無除密碼外對設備帳號的辨識方式,故將登入時的封包內容進行修改。(Mode=low => Mode=ENG)
010
011
012

最後證實該設備確實只透過更改cookie的方式就提權至高權限帳號,然後在先前本團隊提報的CVE-2018-6312部分就不用再透過任何字典檔攻擊猜測最高權限使用者的密碼。通報亞太電信後,亞太電信第一時間也積極處理相關資安的議題。

Finally, although I use low privilege account “admin” to login, but I can gain privileges by modifying cookies.
And it also can used in the situation CVE-2018-6312 that we had posted before.
CVE-2018-6312: https://gist.github.com/DrmnSamoLiu/cd1d6fa59501f161616686296aa4a6c8

The attacker can just use 「admin/admin」to get the target’s root privilege without using brute-force attack to get higest privilege account “foxconn”’s password.
After reporting to APTG and Foxconn, they released a patch within a week and resolved these problems.
-CFL Lab

Owner

ChuanYuan-Huang commented May 10, 2018

When login into the web interface of Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 there had Cross Site Scripting occur.
The attacker can input some html code to cause Cross Site Scripting.

亞太電信的魔速方塊是由鴻海集團所製造的毫微微型基地台,在FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15此版韌體中,發現有跨站腳本攻擊的現象發生。

001
002

A low privileged account with a weak default password exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
在亞太電信魔速方塊版本FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15中,存在著一個風險,有心人士可以藉由低權限的網頁管理帳號透過更改cookies提權至高權限的管理帳號。在此案例中,使用者可以輸入預設低權限的帳號「admin/admin」登入系統。

There had some accounts with different privileges on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15.
The account “admin” with low privileges of the web interface.
The account “foxconn” with highest privileges of the web interface.
Use “admin” to login. (admin/admin)

003

We can see the account “admin” can read some config data, but it could not modify any setting here.
雖然叫做「admin」但是實際上只能觀看網頁內容,不能修改任何參數。

004
005

Then we use the account “foxconn” to login. We can see some difference between “admin”.
接著我們使用網頁管理介面最高權限帳號「foxconn」登入,網頁中顯示的內容較「admin」登入時多出許多。使用該帳號確實能更改裡面的參數。

006

And we can do some change with the config data just like …

007

We can see the Cookie which is using “admin” to login.
以下是使用帳號「admin」登入的封包內容。

008

And this one is using “foxconn” to login
以下是使用帳號「foxconn」登入的封包內容。

009

I guess it maybe not had any identification to check the accounts. So I gain privileges by modifying cookies. (Mode=low => Mode=ENG)

本團隊猜測此設備應無除密碼外對設備帳號的辨識方式,故將登入時的封包內容進行修改。(Mode=low => Mode=ENG)
010
011
012

最後證實該設備確實只透過更改cookie的方式就提權至高權限帳號,然後在先前本團隊提報的CVE-2018-6312部分就不用再透過任何字典檔攻擊猜測最高權限使用者的密碼。通報亞太電信後,亞太電信第一時間也積極處理相關資安的議題。

Finally, although I use low privilege account “admin” to login, but I can gain privileges by modifying cookies.
And it also can used in the situation CVE-2018-6312 that we had posted before.
CVE-2018-6312: https://gist.github.com/DrmnSamoLiu/cd1d6fa59501f161616686296aa4a6c8

The attacker can just use 「admin/admin」to get the target’s root privilege without using brute-force attack to get higest privilege account “foxconn”’s password.
After reporting to APTG and Foxconn, they released a patch within a week and resolved these problems.
-CFL Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment