The HT-TM05 from HooToo is a travel router designed to be a sort of Swiss army knife : self-powered, it can be used as an external battery, as a wifi router, it is also equipped with a USB port so you can connect a USB drive and share its content through the network. This device also features a web interface allowing you to manage the router and to browse your USB drive through a web file explorer.
Unfortunately, from a security perspective, this web interface is vulnerable to multiple XSS.
Unauthenticated XSS through the SSID of nearby wifi devices
Verified in 2.000.084.
HT-TM05 routers can connect to a wireless access point.
It is possible to trigger an XSS in the web interface against an admin user by setting up a wifi device with a XSS payload in its SSID.
For my tests, I have set up an access point with my phone, with
« <img/src/onerror=alert(1)> » as the SSID.
As a result, when an admin goes to « Settings -> Network Settings -> Internet » (/app/network/internet.html), the router will scan the nearby wifi APs and try to display their name. This will result in XSS since a payload is included in the SSID.
XSS also occurs in « Settings -> Setup Wizard » (/app/wizard/internet.html), since the router will display nearby wifi APs here as well.
Multiple stored XSS in file and folder names
Verified in 2.000.084.
Both vulnerabilities are located in the page « /app/explorer/explorer.html ».
The HT-TM05 routers have NAS features, allowing to browse a USB drive plugged to the router.
If storage is attached, it is possible for a guest to create a folder inside the « Share » folder with a XSS payload in its name by issuing this sort of request:
This request will create a folder « foo<img src onerror=alert(1)>bar » on the disk.
If an admin opens this folder, XSS will trigger:
You can also create a file with a XSS payload in its name. Here is the request to rename a file:
The path follows the source file location and the « Destination » header contains the destination file path. I named it « fw »><img src onerror=alert(2)>test.084 ».
The file is renamed. After that, if an admin attempts to rename the file via the web interface, XSS will trigger:
Stored XSS through arbitrary file upload
Verified in 2.000.084.
It is possible for a guest to upload arbitrary files through the « explorer ». You just need to upload a HTML file with the following content:
<script>alert(1)</script>
When the admin opens the file XSS will trigger.
Asking the user-agent to download files instead of rendering them would prevent XSS here. Those are NAS features, there is no reason to allow HTML files to be rendered.
Disclosure timeline
31/12/2021 : First contact with HooToo. Answer from HooToo the same day asking for order number. Order number communicated.
02/01/2022 : Acknowledgement from HooToo. The same day, I sent the details to HooToo.
09/02/2022 : Asked for an update.
10/02/2022 : Response from HooToo : « We just sent this information to the technical team and they could not find the problem. As this product was no longer manufactured, it was no longer updated. ».
24/02/2022 : HooToo notified of the scheduled public disclosure, draft attached.