Catégories
Misc

Multiple XSS in HooToo HT-TM05

The HT-TM05 from HooToo is a travel router designed to be a sort of Swiss army knife : self-powered, it can be used as an external battery, as a wifi router, it is also equipped with a USB port so you can connect a USB drive and share its content through the network. This device also features a web interface allowing you to manage the router and to browse your USB drive through a web file explorer.

Unfortunately, from a security perspective, this web interface is vulnerable to multiple XSS.

Unauthenticated XSS through the SSID of nearby wifi devices

Verified in 2.000.084.

HT-TM05 routers can connect to a wireless access point.

It is possible to trigger an XSS in the web interface against an admin user by setting up a wifi device with a XSS payload in its SSID.
For my tests, I have set up an access point with my phone, with
« <img/src/onerror=alert(1)> » as the SSID.

XSS payload in the SSID

As a result, when an admin goes to « Settings -> Network Settings -> Internet » (/app/network/internet.html), the router will scan the nearby wifi APs and try to display their name. This will result in XSS since a payload is included in the SSID.

XSS triggers when scanning nearby WiFi access points

XSS also occurs in « Settings -> Setup Wizard » (/app/wizard/internet.html), since the router will display nearby wifi APs here as well.

A similar XSS triggers in the setup wizard

Multiple stored XSS in file and folder names

Verified in 2.000.084.

Both vulnerabilities are located in the page « /app/explorer/explorer.html ».
The HT-TM05 routers have NAS features, allowing to browse a USB drive plugged to the router.

If storage is attached, it is possible for a guest to create a folder inside the « Share » folder with a XSS payload in its name by issuing this sort of request:

MKCOL request to create a folder with a XSS payload in its name

This request will create a folder « foo<img src onerror=alert(1)>bar » on the disk.

Folder with a XSS payload in its name is created

If an admin opens this folder, XSS will trigger:

XSS triggers once the folder is opened

You can also create a file with a XSS payload in its name. Here is the request to rename a file:

MOVE request to rename a file and put a XSS payload in the name

The path follows the source file location and the « Destination » header contains the destination file path. I named it « fw »><img src onerror=alert(2)>test.084 ».

The file is renamed. After that, if an admin attempts to rename the file via the web interface, XSS will trigger:

XSS triggers when the file is renamed through the web interface

Stored XSS through arbitrary file upload

Verified in 2.000.084.

It is possible for a guest to upload arbitrary files through the « explorer ». You just need to upload a HTML file with the following content:

<script>alert(1)</script>

When the admin opens the file XSS will trigger.

XSS is possible because of arbitrary file upload

Asking the user-agent to download files instead of rendering them would prevent XSS here. Those are NAS features, there is no reason to allow HTML files to be rendered.

Disclosure timeline

31/12/2021 : First contact with HooToo. Answer from HooToo the same day asking for order number. Order number communicated.

02/01/2022 : Acknowledgement from HooToo. The same day, I sent the details to HooToo.

09/02/2022 : Asked for an update.

10/02/2022 : Response from HooToo : « We just sent this information to the technical team and they could not find the problem. As this product was no longer manufactured, it was no longer updated. ».

24/02/2022 : HooToo notified of the scheduled public disclosure, draft attached.

Catégories
CVEs

CVE-2021-22872 – XSS in Revive Adserver

Revive Adserver was vulnerable to a reflected XSS in /www/delivery/afr.php that was reported through their HackerOne program here.

afr.php would reflect the query string. The patch for one of the two reflections that occurred in a Javascript context was this one:

Fix for the first report

I guess the goal was to to escape quotes, in order to prevent to close the string and then insert other Javascript instructions.

The problem with this fix was that we could just close the <script> tag and start a new one with our own script, like:

https://revive-instance/www/delivery/afr.php?refresh=10000&</script><script>alert(1)</script>

Even Burp was able to identify the vulnerability by itself:

Response reflects the XSS payload

The impact of this reflected XSS was quite limited by the fact that the querystring was sent URL-encoded by most modern browsers, and was reflected URL-encoded. XSS would trigger in browsers that don’t encode the querystring, for example Internet Explorer up to the latest version:

XSS triggers in Internet Explorer 11

I reported the vulnerability through their HackerOne VDP on September 20th 2020. It was fixed in Revive Adserver v5.1.0 that was released on January 19th 2021, and attributed CVE-2021-22872.

References