[Suggested description] Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting user's browser.
[Vendor of Product] Foxconn Electronics Inc.
[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15
[Impact Code execution] true
[Discoverer] CFL Lab
[Suggested description] A low privileged account with a weak default password exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
[Vendor of Product] Foxconn Electronics Inc.
[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15
[Attack Type] Remote
[Impact Escalation of Privileges] true
[Discoverer] CFL Lab
When login into the web interface of Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 there had Cross Site Scripting occur.
The attacker can input some html code to cause Cross Site Scripting.
亞太電信的魔速方塊是由鴻海集團所製造的毫微微型基地台,在FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15此版韌體中,發現有跨站腳本攻擊的現象發生。
A low privileged account with a weak default password exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
在亞太電信魔速方塊版本FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15中,存在著一個風險,有心人士可以藉由低權限的網頁管理帳號透過更改cookies提權至高權限的管理帳號。在此案例中,使用者可以輸入預設低權限的帳號「admin/admin」登入系統。
There had some accounts with different privileges on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15.
The account “admin” with low privileges of the web interface.
The account “foxconn” with highest privileges of the web interface.
Use “admin” to login. (admin/admin)
We can see the account “admin” can read some config data, but it could not modify any setting here.
雖然叫做「admin」但是實際上只能觀看網頁內容,不能修改任何參數。
Then we use the account “foxconn” to login. We can see some difference between “admin”.
接著我們使用網頁管理介面最高權限帳號「foxconn」登入,網頁中顯示的內容較「admin」登入時多出許多。使用該帳號確實能更改裡面的參數。
And we can do some change with the config data just like …
We can see the Cookie which is using “admin” to login.
以下是使用帳號「admin」登入的封包內容。
And this one is using “foxconn” to login
以下是使用帳號「foxconn」登入的封包內容。
I guess it maybe not had any identification to check the accounts. So I gain privileges by modifying cookies. (Mode=low => Mode=ENG)
本團隊猜測此設備應無除密碼外對設備帳號的辨識方式,故將登入時的封包內容進行修改。(Mode=low => Mode=ENG)
最後證實該設備確實只透過更改cookie的方式就提權至高權限帳號,然後在先前本團隊提報的CVE-2018-6312部分就不用再透過任何字典檔攻擊猜測最高權限使用者的密碼。通報亞太電信後,亞太電信第一時間也積極處理相關資安的議題。
Finally, although I use low privilege account “admin” to login, but I can gain privileges by modifying cookies.
And it also can used in the situation CVE-2018-6312 that we had posted before.
CVE-2018-6312: https://gist.github.com/DrmnSamoLiu/cd1d6fa59501f161616686296aa4a6c8
The attacker can just use 「admin/admin」to get the target’s root privilege without using brute-force attack to get higest privilege account “foxconn”’s password.
After reporting to APTG and Foxconn, they released a patch within a week and resolved these problems.
-CFL Lab