Title: PQI AirCard Multiple Vulnerabilities in web-server (persistent XSS, clear text sensitive info) Timeline: 10 August 2013 - Discovery date 26 August 2013 - Mediator (Secunia) notified 26 August 2013 - Mediator recommends to contact Vendor due to termination of Vulnerability Coordination Program 26 August 2013 - Vendor contact tentative 27 August 2013 - CVE assigned for XSS part by mitre.org Author: Andrei Costin of "FIRMWARE.RE" project firstname.lastname@example.org email@example.com Vulnerability discovered using "FIRMWARE.RE" platform/service Security advisory numbering: CVE-2013-5637 ACSA-2013-007 (related to ACSA-2013-006) Vendor: PQI http://www.pqigroup.com/ Product(s): PQI Air Card Wi-Fi Memory Card http://www.pqigroup.com/prod_in.aspx?mnuid=1286&modid=138&prodid=426 Product version(s) affected: firmware versions <= AirCard_V147 ACTION ITEM on vendor: kind request to confirm all the affected software/firmware revisions CWE categories: CWE-79: Persistent/Stored XSS CWE-319: Cleartext Transmission of Sensitive Information CWE-312: Cleartext Storage of Sensitive Information Vulnerability details: CWE-79: Persistent/Stored XSS The following fields are affected in the http://AirCard_IP/cgi-bin/kcard_edit_config_insup.pl WiFiSettings: SSID Pre-shared key Internet Hotspot Settings SSID1 KEY1 SSID2 KEY2 SSID2 KEY2 The JS client-side only validation check_pass() and check_string() do not provide sufficient means to stop persistent XSS injection attack. The persistent XSS can be injected directly into /etc/wsd.conf or the check_pass() and check_string() execution circumvented. CWE-319: Cleartext Transmission of Sensitive Information http://AirCard_IP/cgi-bin/get_config.pl http://AirCard_IP/cgi-bin/kcard_edit_config.pl http://AirCard_IP/cgi-bin/kcard_save_config.pl Also, the page /cgi-bin/kcard_edit_config.pl loads directly the password values in the "input" fields "value=" property. Since the password fields are of "type=password", a _normal user_ normally sees something like "*******" and not the value of the password itself. Hence, setting password fields values to the password itself is useless from UI point of view. It's more feasible just to set it to text filled with '*' of the length of the password, or better with a random length so not to leak info on the password length. CWE-312: Cleartext Storage of Sensitive Information http://AirCard_IP/cgi-bin/ftpsend.conf (AirCard only) wsd.conf stored as: /etc/wsd.conf served via: http://AirCard_IP/cgi-bin/get_config.pl Anyone taking posession or intercepting wsd.conf (via clear-text HTTP) get's several more credentials (like FTP and WiFi), which maximizes the attack surface onto the user's other systems. NOTE: In certain versions/products, the above applies only to authenticated/admin user, somehow minimizing attack surface, but doesn't help systems with default passwords. NOTE: Related research and related vulnerabilities can be found here: https://forum.openwrt.org/viewtopic.php?id=45820 About the author/project: Firmware.RE is part of the Firmware Genome Project. Firmware.RE is a free online service that: - unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware. - facilitates firmware mounting, modification, loading and emulation. - facilitates firmware vulnerability and backdoor discovery. - helps secure your embedded and internet-of-things devices.