After finding vulnerabilities in the 4GEE Mobile WiFi Router last year, I thought I would give my brand new EE home broadband router a run for it’s money and it seems like last time, it’s vulnerable to another attack vector, this time being hard-coded credentials for SSH root access, which luckily is only available via the LAN.
This would enable any user on the LAN to gain access to the router using these hard-coded credentials.
Update: 26/10/2018 – EE have released patch that fixes the issue. Users are recommended to follow the EE router upgrade process via the web UI.
Hardware Version/Model: 4GEE Router HH70VB-2BE8GB3 (HH70VB)
Vulnerable Software Version: HH70_E1_02.00_19
Patched Software Version: HH70_E1_02.00_21
Vulnerability CVE(s): CVE-2018-10532
Product URL: https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details
After performing security testing on the 4GEE Mobile WiFi router it was discovered to be vulnerable to several security vulnerabilities. These vulnerabilities in combination make it possible for an attacker to remotely exploit the device, which can be achieved through having a user view a crafted texted message that was sent to him.
Other attacks are also possible by misleading and/or tricking users into executing code or clicking crafted URLs to trigger multiple functions such as device reset, device reboot, device restore (malicious config), sending SMS messages or stealing device configuration information, SMS messages and any other information on the device that a user may have access to and without authentication.
Additionally, multiple JSONP information disclosures were discovered, which display the full username and password of the administrative user while unauthenticated and allow access to multiple privileged functions such as device reset, device reboot and device configuration download/upload and SMS messages stored on the device.
I’d also like to note, the responsiveness and prompt vulnerability resolution from EE, as I was expecting this issue to get ignored or swept under the carpet, like most IOT/Router vulnerabilities, however in this case constant communication was kept throughout the process and the issues resolved.
Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83).
Vulnerable Software Version: EE60_00_05.00_25.
Patched Software Version: EE60_00_05.00_31.
Vulnerability CVE(s): CVE-2017-14267, CVE-2017-14268, CVE-2017-14269.
Proof of Concept Code: https://github.com/JamesIT/vuln-advisories-/tree/master/EE-4GEE-Multiple-Vulns
Back in February I found an Android application which is used by the emergency services, that had exposed Azure API keys within the application leading to potential compromise of sensitive incident reports, attachments, and infrastructure server “.vhd” files with the access level to spin up new instances or delete them. I immediately reported this to the application developer and it’s respective organisation under responsible disclosure, which resulted in an instant and prompt response, which I give huge kudos for.
OWASP Defines this class of vulnerability as “Insecure Data Storage”:
Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data .
I’ve been a user of the mobile/web application named “GoodSAM App” which is an application where the Ambulance service in London or the East Midlands can dispatch “Responders” who are trained in Basic Life Support (BLS) and can be dispatched to cardiac arrests or other priority calls and users at emergencies can also request a “Responder”. Now this application is absolutely brilliant in the nature of what it does and I fully support them.
Despite this however, I did find two vulnerabilities within the application that may have been overlooked. Specifically Cross Site Request Forgery (CSRF) within the “Account Profile” page, along with Cross Site Scripting (XSS) within the same page, the account profile page being loaded upon login.
Now typically, CSRF and XSS issues on their own are not that much of a critical vulnerability in the grand scheme of things, however in this instance it was possible to chain both CSRF/Stored XSS vulnerabilities to set the XSS payload within the account profile fields and then steal the user cookie every time they login or view the page.
Finally, as the GoodSAM Data Protection section said they take data protection seriously, I thought I would not have any problems getting these vulnerabilities resolved under responsible disclosure, however I was wrong on this occasion and have had to release the information. (See Disclosure Issues section).
“We take your data protection extremely seriously. We are registered with the Information Commissioners Office (no: ZA094052) and our technology team take the security of our data and servers very seriously. “
Recently I have been looking for vulnerabilities such as XSS/CSRF within online applications and came across an XSS vulnerability within the Major League Basketball (MLB) website, which in question was vulnerable to reflected XSS. I did attempt responsible disclosure through Open Bug Bounty  and attempted contact via Twitter also, with no response returned and hence full disclosure.
In particular, the website was vulnerable within the “FORM_CODE” parameter with the payload of “–!><Svg/Onload=confirm(‘ OPENBUGBOUNTY’)>” being used to exploit the reflected XSS vulnerability. (See below).
I’ve decided to start a series of blog posts with write ups from Vuln Hub to keep my skills up to date, and learn more offensive techniques.
The first step was to use nmap which revealed the presence of various open ports and in particular port 80 (HTTP).
nmap -sS -T5 192.168.74.134
Nmap scan report for 192.168.74.134
Host is up (0.00018s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
3306/tcp open mysql
Over the Christmas break from university, I decided that I’d take the PWK (OSCP) course which gave me something to do over the Christmas break and ensured I had plenty of time to complete the course. Having previously done other cyber security courses such as Comp Tia Security+ and eLearnSecurity’s PTPV4 course, I liked the fact that the PWK course was heavily practical in nature and had an extensive virtual lab to test penetration testing techniques on a variety of systems.
In my opinion the OSCP certification is worth the initial cost and has a high return of investment, compared to other certifications due to the fact the course is practical and proves to employers the candidate is competent in penetration testing concepts and can apply them to a multitude of environments. Having spoken to hiring managers, the OSCP qualification is highly desirable and is vastly gaining recognition around the world, which makes this certification an excellent way to get into the information security field. (more…)
The other week me and a team from Abertay University went to Edinburgh for a CTF hosted by SIGINT. The CTF was a jeopardy style CTF with various categories of challenges such as Binary Exploitation, Reverse Engineering, Web Challenges and more. Unfortunately as there was a team limit of four, I was unable to join the team from my university and was placed with another team.
I decided I’d post a blog post on some of the challenges I undertook, and how I solved them. I have not included answers to the trivia and other simpler challenges which we solved as a team. This blog post address’s one of the web challenges and the RBS bank safe challenge that I completed. (more…)
Yesterday I participated in a capture the flag event at Sheffield Hallam University organised by Cyber Security Challenge UK, it was a really interesting experience for my first in person CTF and I took away some points and advice for future CTF’s and things I need to look at and research. I arrived at around 9:30am and got myself signed in and then had some pre-game coffee (Very important before the CTF!!) once everyone started arriving eventually the hosts talked about the schedule for the day, the rules and what prizes are on offer.
So about three weeks ago I won an “Elite” edition of the new mobile penetration testing course from eLearnSecurity by watching their webinar and being randomly selected. I’m really excited about this course and have been getting started now that it’s been released. I really did not expect to win either!
This really helps being on a student budget, and will be relevant to the mobile development module at Abertay University next semester, I’ll be posting a review once I finish and pass the course. However so far, the course looks pretty solid with plenty of videos, slides and virtual labs with real world vulnerable applications.
Having completed eCPPT from eLearnSecurity in 2014, I know for sure that this would be another excellent course.
Will keep the blog up to date with more information, stay tuned!