Title:
    PQI AirCard Multiple Vulnerabilities in web-server (persistent XSS, clear text sensitive info)

Timeline:
    10 August 2013 - Discovery date
    26 August 2013 - Mediator (Secunia) notified
    26 August 2013 - Mediator recommends to contact Vendor due to termination of Vulnerability Coordination Program
    26 August 2013 - Vendor contact tentative
    27 August 2013 - CVE assigned for XSS part by mitre.org
    
Author:
    Andrei Costin of "FIRMWARE.RE" project
    andrei@firmware.re
    andrei@andreicostin.com
    Vulnerability discovered using "FIRMWARE.RE" platform/service

Security advisory numbering:
    CVE-2013-5637
    ACSA-2013-007 (related to ACSA-2013-006)

Vendor:
    PQI
    http://www.pqigroup.com/

Product(s):
    PQI Air Card Wi-Fi Memory Card
    http://www.pqigroup.com/prod_in.aspx?mnuid=1286&modid=138&prodid=426

Product version(s) affected:
    firmware versions <= AirCard_V147
    ACTION ITEM on vendor: kind request to confirm all the affected software/firmware revisions

CWE categories:
    CWE-79: Persistent/Stored XSS
    CWE-319: Cleartext Transmission of Sensitive Information
    CWE-312: Cleartext Storage of Sensitive Information

Vulnerability details:
    CWE-79: Persistent/Stored XSS
        The following fields are affected in the http://AirCard_IP/cgi-bin/kcard_edit_config_insup.pl
            WiFiSettings:
                SSID
                Pre-shared key

            Internet Hotspot Settings
                SSID1
                KEY1
                SSID2
                KEY2
                SSID2
                KEY2
        The JS client-side only validation check_pass() and check_string() do not provide sufficient means to 
        stop persistent XSS injection attack.
        The persistent XSS can be injected directly into /etc/wsd.conf or the 
        check_pass() and check_string() execution circumvented.

    CWE-319: Cleartext Transmission of Sensitive Information
        http://AirCard_IP/cgi-bin/get_config.pl
        http://AirCard_IP/cgi-bin/kcard_edit_config.pl
        http://AirCard_IP/cgi-bin/kcard_save_config.pl

        Also, the page /cgi-bin/kcard_edit_config.pl loads directly the password values in the "input" fields "value=" property.
        Since the password fields are of "type=password", a _normal user_ normally sees something like "*******" and not the value of the password itself.
        Hence, setting password fields values to the password itself is useless from UI point of view.
        It's more feasible just to set it to text filled with '*' of the length of the password, or better with a random length so not to leak info on the password length.

    CWE-312: Cleartext Storage of Sensitive Information
        http://AirCard_IP/cgi-bin/ftpsend.conf (AirCard only)
        wsd.conf
            stored as: /etc/wsd.conf
            served via: http://AirCard_IP/cgi-bin/get_config.pl

        Anyone taking posession or intercepting wsd.conf (via clear-text HTTP) get's several more credentials (like FTP and WiFi), which maximizes the 
        attack surface onto the user's other systems.

    NOTE: In certain versions/products, the above applies only to authenticated/admin user, somehow minimizing attack surface, but doesn't help systems with default passwords.

    NOTE: Related research and related vulnerabilities can be found here: https://forum.openwrt.org/viewtopic.php?id=45820

About the author/project:
    Firmware.RE is part of the Firmware Genome Project.        
    Firmware.RE is a free online service that:
        - unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
        - facilitates firmware mounting, modification, loading and emulation.
        - facilitates firmware vulnerability and backdoor discovery.
        - helps secure your embedded and internet-of-things devices.