MiFi GeoPwn (GPS info via XSS+CSRF)
The MiFi by Novatel Wireless (re-branded and sold by multiple vendors such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also has a built in GPS to provide location based searching. Turns out that the web interface to this little device has a lot going on that can be exploited, from gaining the user’s GPS data to terminating the user’s connectivity. Before we get into the details let’s start with a story that begins right after I found the initial vulnerabilities (besides notify the vendor).
12:19:58 AM Adam Brault (&yet): so tell me about the mifi pwn
12:20:24 AM Adam Baldwin: http://ngenuity.org/dev/mifi.html (code is not there now so don’t bother clicking)
12:20:33 AM Adam Baldwin: just read the source
12:20:35 AM Adam Baldwin: it’s simple
12:20:49 AM Adam Baldwin: changes your SSID to pwned and your secret key to javascript (and executes that javascript)
At this point my phone rings. Adam was apparently using his MiFi in a remote location at the time he clicked on the link I sent him. It was at that moment that we realized that a valid session was not required and that it would kill the connection for Verizon users with firmware version 11.43.2 (I think). Adam was without Internet and had to factory reset his MiFi.
So there are a few things going on that make this possible. I will try and detail them here.
1. Authentication not required.
The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don’t have to require that the victim have a valid session.
2. Enable GPS without the users knowledge.
The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says “Login Required” but if they are like the typical user they will simply click on it and forget it ever happened.
3. Cross-Site Request Forgery (CSRF)
The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.
4. Output Encoding
In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I’m wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it’s not properly encoded either giving us a nice 63 character persistent injection point for script.
So for those that weren’t paying attention: Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker.
Here is a video clip for the Sprint MiFi (firmware AP 11.47.17, router 018.0101) of the working proof of concept.
http://evilpacket.net/2010/jan/14/mifi-geopwn/
NGENUITY-2010-003
BID: 37830
