Legrand-003598 / Bticino-F454 Credential Disclosure

`1. OVERVIEW  
  
Credential leaks lead to complete compromise of home automation  
system  
  
2. BACKGROUND  
  
The 2 devices are identical, and act as an IP gateway between  
the SCS home automation bus, and an IP network.  
The devices uses https for the web-front, and is also open on  
port 20000 with an semi open protocol that allows controlling  
everything at the owner's location.  
  
3. VULNERABILITY DESCRIPTION  
  
A file  
  
https://[ip address of device]/TiWeb.xml  
  
is directly accessible without requiring credential requests of  
any sort, that contains plaintext login and passwords to the device  
these credentials are all that's needed to reprogram the entire home  
automation system, access video cameras in the installation, control  
the burglar alarm, and more.  
  
4. VERSIONS AFFECTED  
  
Firmare 1.00.26  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
just head to the url on an affected device. you can find those devices  
by searching google for 'top_right_bticino' (and probably   
'top_right_legrand')  
  
6. SOLUTION  
  
upgrade to version 1.00.32 available  
  
http://www.myopen-legrandgroup.com/devices/gateways/m/f454_-_003598/38439.aspx  
  
7. VENDOR  
  
Legrand Group  
  
8. CREDIT  
  
This vulnerability was found by Raphaël Jacquot, an independant   
security researcher  
  
9. DISCLOSURE TIME-LINE  
  
2012-07-23: Vendor Notified  
2012-10-02: Vendor published non-vulnerable firmare 1.00.32  
2012-10-17: Vulnerability disclosed  
  
Best regards,  
  
Raphaël Jacquot  
  
  
`