Huawei Mobile Hostpot remote root code execution by SMS (user-triggered)

Posted on Mon 15 July 2013 in Advisory

Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities in WebUI; an XSS and a command injection.
The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically crafted SMS.
The vendor has been notified on the 2013/03/18.

Huawei WebUI XSS in SMS inbox page

In /js/main.js, function smsReplaceData() is used to escape HTML tags in incoming SMS before displaying them in the UI.
But a specifically crafted SMS can bypass this flawed function and inject HTML tags in SMS inbox page:

</Content><Index>0'/><![CDATA[<script type="text/javascript">alert(1);</script><input type="checkbox" id='x]]></Index><Content>Coucou, tu veux voir ma balise ?

This XSS is executed when the user browses to SMS inbox page. The device has a notifying icon on its tiny screen to alert user of incoming SMS.

Huawei WebUI Shell injection (CVE-2013-2612)

The HTTP endpoint "/api/device/time" in WebUI is vulnerable to shell command injection. This allows code execution with root privileges.

javascript:saveAjaxData("api/device/time","<?xml ?><request><Month>;mkdir </Month><Day>/tmp/A #</Day><Hour></Hour><Min></Min><Year></Year><Sec></Sec></request>");

You need to split your shell command into children of <request> node in order to respect the 7 chars limit for each child nodes.

Now, you may try to combine them.