Table of Contents
- Technical Details
- Additional Notes
- Recommendations for End Users
- German Summary / Deutsche Zusammenfassung
- See Also
The Huawei E303 http://consumer.huawei.com/en/mobile-broadband/data-card/tech-specs/e303-en.htm is a 2G/3G USB Modem.
A specially crafted HTML web page will cause a visitor’s E303 device to silently send one or more SMS (text) messages. The device will neither ask for permission nor offer any means to cancel the operation in order to avoid the costs incurred by sending these SMS messages. The recipient of the SMS messages, as well as their content, can be specified by the attacker.
2. Technical Details
The device’s web interface (Web UI) is vulnerable to Cross Site Request Forgery (CSRF). The vulnerable module is located at “/api/sms/send-sms”; e.g. http://192.168.1.1/api/sms/send-sms or http://hi.link/api/sms/send-sms.
The Web UI communicates with the vulnerable module by sending and receiving XML requests and responses via XmlHttpRequest. However, the vulnerable module can also be accessed and controlled by sending an HTTP-POST request with XML in the request’s body (see [2.1] for a capture of the HTTP request/response traffic). The vulnerable module will process this XML as if it had originated from the Web UI.
The attached PoC [2.2] has been tested and confirmed with Mozilla Firefox 25, Microsoft Internet Explorer 11 and Google Chrome 31 and the following device/software versions, which are current at the time of writing:
Device name: E303 / E303s-2 Software version: 22.157.18.00.858 Hardware version: CH2E303SM Web UI version: 11.010.06.01.858
2.1. HTTP request/response
POST /api/sms/send-sms HTTP/1.1 Host: hi.link User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3 Accept-Encoding: gzip, deflate Referer: http://hi.link/ Connection: keep-alive Content-Type: text/plain Content-Length: 225 <?xml version="1.0" encoding="UTF-8"?><request><Index>-1</Index><Phones><Phone>4422</Phone></Phones><Sca></Sca><Content>Sample Text</Content><Length>0</Length><Reserved>1</Reserved><Date>2013-12-03 16:00:00</Date></request> HTTP/1.1 200 OK Date: Thu, 01 Jan 1970 04:09:18 GMT Server: IPWEBS/1.4.0 Cache-Control: no-cache Content-Length: 65 Content-Type: text/html <?xml version="1.0" encoding="UTF-8"?> <response>OK</response>
2.2. Proof of Concept
3. Additional Notes
I do not believe this vulnerability (VU#325636) to be a duplicate of VU#341526 http://www.kb.cert.org/vuls/id/341526.
While both devices suffer from a direct request vulnerability, the main differences between VU#341526 and VU#325636 are:
a) Access requirements: According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6031, VU#341526’s access vector is “Local network exploitable” whereas the vulnerability reported by me is not only exploitable from a local network but from the internet as well. For example, the PoC code I have sent to Huawei and CERT can simply be embedded in a web page on the internet; previous access to the victim’s local network is not required. It seems to me that in order to exploit VU#341526, an attacker has to be connected to the WLAN/WiFi network created by the device, which is not required for VU#325636.
b) Impact: According to http://www.kb.cert.org/vuls/id/341526, an attacker can “gather [and change] sensitive configuration information”, whereas the vulnerability reported by me allows an attacker to remotely control the device to the point of using its SMS functionality which is not mentioned in VU#341526’s description. Its PoC Metasploit module does not refer to or access the vulnerable “/api/sms/send-sms” module either.
To summarize; both VU#341526 and VU#325636 describe the same type of vulnerability (CWE-425 / direct request vulnerability), although the vulnerability reported by me adds a CSRF vulnerability. However, VU#325636 targets not only a different device and a different software but is also both easier to exploit and, in my opinion, easier to monetize.
4. Recommendations for End Users
It is Huawei’s responsibility to protect its customers against this vulnerability. With that being said, users of the Huawei E303 modem may want to take action to protect themselves against becoming victims of attacks targeting this vulnerability.
In order to minimize the direct financial impact of a successful attack, it is suggested to use the E303 only in connection with a pre-paid plan and a balance as low as practical.
Some web browsers offer security functionality which may be employed to strengthen defenses against attacks similar to the one described above (2.2. Proof of Concept).
Opera’s default settings prevent this vulnerability from being exploited. “http://hi.link” and “http://[Device IP]” (e.g. “http://192.168.1.1”) should not be listed as “Trusted Websites” (Menu -> Settings -> Preferences -> Advanced -> Network -> Trusted Websites)
4.2. Mozilla Firefox
The NoScript extension https://addons.mozilla.org/en-US/firefox/addon/noscript/ with its Application Boundaries Enforcer (ABE) http://noscript.net/abe/ functionality will prevent this and similar attacks.
4.3. Internet Explorer
End users can add “http://hi.link” and “http://[Device IP]” (e.g. “http://192.168.1.1”) to Internet Explorer’s list of “Restricted Sites” (Tools -> Internet Options -> Security -> Restricted Sites). Subsequently, Internet Explorer will display a warning when a web page tries to access the E303’s Web UI (“When you send information to the Restricted area, it might be possible for others to see that information. Do you want to continue?”). It is still the end user’s responsibility to read and understand this warning message and, of course, to choose “No” despite “Yes” being pre-selected.
4.4. Google Chrome
I am not aware of settings/extensions comparable to the ones mentioned above.
I am not aware of settings/extensions comparable to the ones mentioned above.
5. German Summary / Deutsche Zusammenfassung
Die Administrationsoberflaeche des UMTS-USB-Sticks E303 von Huawei ermoeglicht einem Angreifer den fuer das Opfer unsichtbaren Versand kostenpflichtiger SMS-Nachrichten. Dazu ist es ausreichend, dass das Opfer eine entsprechend praeparierte Webseite besucht.
Der Huawei E303 ist derzeit der in seiner Amazon.de-Bestseller-Liste am besten positionierte UMTS-USB-Stick (http://www.amazon.de/gp/bestsellers/computers/430148031/) und duerfte in Deutschland entsprechend weit verbreitet sein.
In deutscher Sprache wird der Sachverhalt unter anderem auf golem.de (http://www.golem.de/news/huawei-sms-verschicken-auf-fremde-kosten-1406-106873.html), netzwoche.ch (http://www.netzwoche.ch/de-CH/News/2014/06/04/Moegliche-Sicherheitsluecke-bei-Huawei-Surfstick-E303.aspx) und heise.de (http://www.heise.de/security/meldung/UMTS-Stick-mit-SMS-Falle-2214265.html) beschrieben.
2013-12-03 Vulnerability discovered.
2013-12-03 Vulnerability reported to Huawei PSIRT, following the procedure outlined at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.
2014-03-08 (Three months later, still no response from Huawei PSIRT.)
2014-03-09 Vulnerability reported to CERT/CC.
2014-03-10 CERT Coordination Center Tracking ID VU#325636 assigned.
2014-05-09 CERT/CC assigns CVE-ID CVE-2014-2946.
2014-05-21 Huawei requests additional information; announces preparation of fix.
2014-05-30 Public disclosure.
7. See Also
- CERT/CC Vulnerability Note VU#325636: http://www.kb.cert.org/vuls/id/325636
- CVE-2014-2946 at cve.mitre.org: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2946
- CVE-2014-2946 at NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2946
- Huawei Security Notice http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-329005.htm