Loxone Smart Home XSS / DoS / Access Control

2015-05-14T00:00:00
ID PACKETSTORM:131951
Type packetstorm
Reporter Johannes Greil
Modified 2015-05-14T00:00:00

Description

                                        
                                            `SEC Consult Vulnerability Lab Security Advisory < 20150514-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: Loxone Smart Home  
vulnerable version: Firmware version <6.4.5.12  
fixed version: 6.4.5.12  
impact: Critical  
homepage: http://www.loxone.com  
found: 2015-03-12  
by: Johannes Greil (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore  
Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor & product description:  
-----------------------------  
"Loxone Electronics was founded in 2009. Our focus is the development and  
production of control solutions for all homes. Our aim is to make home  
automation interesting, affordable and accessible for everyone."  
  
URL: http://www.loxone.com/enus/company/about-us.html  
  
  
Business recommendation:  
------------------------  
Most of the issues previously identified (see SEC Consult security advisory  
SA-20150227-0) seem not to have been fixed properly and are still exploitable  
either directly or by easily bypassing implemented measures. A very short  
crash-test of only a few hours even resulted in new vulnerabilities.  
  
The Loxone smart home has multiple design and implementation flaws which  
combined could be used by an attacker to:  
1) remotely cause a denial of service condition which renders the smart  
home unusable which would effectively disable any Loxone-controlled  
alarm system,  
2) steal the user's credentials for the management interface and fully  
control the smart home,  
3) execute JavaScript code in the user's browser for further attacks,  
4) control arbitrary devices connected to the system, e.g. switch on/off  
lights, remotely open doors or garages, disable alarm system, etc.,  
5) gain access to admin passwords of Loxone partners (e.g. electricians  
who are implementing the smart home solution at customers) and  
completely take over other smart homes of the same Loxone partner!  
  
It is recommended by SEC Consult not to use this smart home system until a  
thorough security analysis (white box) of all components has been performed by  
security professionals, as a very short crash test (Blackbox) already resulted  
in critical vulnerabilities.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Cross-site request-forgery (XSRF)  
The system is vulnerable to XSRF attacks. If an attacker is able to lure a user  
into clicking a crafted link or by embedding such a link within web pages (e.g.  
discussion forums) he could control arbitrary functions within the smart home  
system.  
All functions can be controlled via web based commands, e.g. in order to switch  
on lights, remotely open doors or garages, disable the alarm system, etc.  
  
This can still be exploited in the current Loxone version and it does not seem  
to be fixed properly.  
  
  
2) HTTP Response Splitting / Header injection  
The web server of the Loxone smart home system is vulnerable to HTTP response  
splitting attacks. If an attacker is able to lure a user into clicking a  
crafted link (e.g. just by clicking a URL in a discussion forum or  
phishing email) he could arbitrarily manipulate the server's response (e.g.  
injection of JavaScript code).  
  
This can still be exploited in the current Loxone version and it does not seem  
to be fixed properly. The implemented measures/filters can be easily bypassed  
using double-encoded payloads.  
  
This attack is not limited to the admin interface, it can be exploited in any  
path of the webserver.  
  
SEC Consult has verified this attack in the most current versions of Mozilla  
Firefox and Google Chrome web browsers.  
  
  
3) Reflected cross-site scripting (XSS) vulnerability  
The web interface of Loxone smart home is vulnerable to reflected cross-site  
scripting attacks. If an attacker is able to lure a user into  
clicking a crafted link (e.g. just by clicking a URL in a discussion forum or  
phishing email) he could execute arbitrary JavaScript code in the user's  
browser. Thereby he could steal the user's credentials or control arbitrary  
devices within the smart home system. To exploit this vulnerability it isn't  
mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities  
exist as well (by exploiting the HTTP Response Splitting vulnerability  
described in 2) as authenticated ones.  
  
SEC Consult has verified this attack in the most current versions of Mozilla  
Firefox and Google Chrome web browsers.  
  
  
4) Denial of service  
An attacker could perform a denial of service attack with simple measures, such  
as synflood attacks. During such an attack the system isn't accessible via the  
network and can't be controlled anymore which also means that alarm systems  
won't work!  
  
This can still be exploited in the current Loxone version and it does not seem  
to be fixed properly. The miniserver was not reachable during the attack and  
rebooted after a short while (a few seconds) when running the attack (depending  
on the bandwidth).  
  
Furthermore, other new DoS attack vectors have been identified, which crash the  
web interface and are not related to the bandwidth network attacks.  
  
  
5) Decrypted Loxone config passwords in memory  
The "Loxone Config" programming software for the Loxone smart home allows saving  
the whole configuration into a XML file for backup or for user support (e.g. via  
ticketing system or discussion forum). This XML config file contains usernames  
and passwords of all configured users (admin or non-admin with different access  
levels).  
  
Loxone partners (e.g. electricians who are implementing the smart home at  
customers) may also send such config files to their customers or provide end  
users admin level access with different admin user accounts. The password of  
the Loxone partner's admin account is usually not shared and should be kept  
a secret.  
  
The passwords are stored encrypted (not hashed!) within the config file and are  
immediately decrypted in memory upon opening such a config file by the Loxone  
Config software. Access to the Loxone miniserver is not needed!  
  
An attacker exploiting this issue is able to gain access to the admin password  
of the Loxone partner! This is especially critical if the same password is being  
used in different customer installations. Attackers (e.g. one customer of the  
Loxone partner) can then directly manipulate or control other Loxone smart homes  
of the same Loxone partner!  
  
  
Proof of concept:  
-----------------  
1) Cross site request forgery (XSRF)  
  
This can still be exploited in the current Loxone version and it does not seem  
to be fixed entirely. As an example, the alarm system of the Loxone "demo case"  
can be disabled via this XSRF payload in case the admin has previously been  
authenticated for the web services and is surfing with the same web browser:  
<html>  
<img src=http://$ip/dev/sps/io/Alarmanlage/off></img>  
</html>  
  
  
2) HTTP Response Splitting / Header injection  
  
The following payload only works by accessing the web interface when a user is  
_not_ authenticated which will be most of the time in regular use cases. This  
makes successful exploitation more easy.  
  
The WWW-Authenticate header is not properly sanitized and uses the URI for the  
"Basic realm" input. Any payload within the URL will be added to the realm. It  
is possible to inject new headers or manipulate the response body in order to  
inject arbitrary HTML/JavaScript code (Response splitting / Header injection).  
  
The following URL demonstrates this issue and injects some HTML/JavaScript code  
(combined XSS attack) that generates a popup as an example:  
  
http://$ip/%2522%250aContent-Type:%20text%252fhtml%250a%250a%253chtml%253e%253cscript%253ealert%28123%29%253c%252fscript%253e%253c%252fhtml%253e  
  
  
An attacker who is able to trick a user into clicking this link (e.g. phishing  
email or discussion forum) will for example be able to re-create the login page  
of the Loxone miniserver device and trick a user into sending username/password  
to an attacker-controlled server.  
  
  
3) Reflected cross-site scripting (XSS) vulnerability  
  
To reproduce this behavior it is sufficient to open the following URL as an  
authenticated user (or social engineer the victim to enter the credentials when  
prompted), which will show a popup message and turn on the LED light of the  
Loxone demo case. The payload uses double-encoded values in order to bypass the  
previously incorrectly implemented filters:  
  
http://$ip/dev/sps/io/%2522%253E%253Cscript%2520xmlns=%2527http:%25  
26%2523x2f%253B%2526%2523x2f%253Bwww.w3.org/1999/xhtml%2527%253Ealert%2528%2527  
you%2520got%2520p0wned%2520again%2527%2529%253b%2520r=new%2520XMLHttpRequest  
%2528%2529;%2520r.open%2528%2527GET%2527,%2527/dev/sps/io/MK_T5/on%2527,true%2529;%2520r.send%2528%2529;%253C/script%253E  
  
  
  
4) Denial of service  
  
Running the following command will keep the miniserver in a non-responsive state  
after a few seconds (depending on the bandwidth) and it will not recover until  
the attack is stopped (it will reboot afterwards). During this attack, nothing  
can be controlled anymore (no switch of the demo case worked):  
hping3 -S --flood -p 80 $ip  
  
Furthermore, the following HTTP request (sometimes it is necessary to send it a  
few times) renders the web interface itself unusable. It is not possible  
anymore to control the smart home as the web interface does not work properly  
anymore, e.g. afterwards connection reset/unreachable errors or login errors  
occur although the password has been correctly entered in the web interface,  
etc.):  
  
GET /index.html HTTP/1.1  
Host: foo  
Sec-WebSocket-Key1: foo  
  
A reboot is necessary in order to make the web interface work again.  
  
  
5) Decrypted Loxone config passwords in memory  
This vulnerability can be easily verified when dumping the memory of the  
attacker's system which every local attacker has access to if he wants to gain  
access to passwords of his Loxone partner or other configuration files  
published by users on the Internet!  
  
It has been verified by installing Loxone Config in a virtual environment  
(VirtualBox) and using the following command to gain access to the memory:  
  
VBoxManage debugvm $vmname dumpguestcore --filename dump  
  
Upon opening the config file (e.g. of any Loxone partner or other end user who  
has published his configuration at the discussion forum) the Loxone Config  
software will immediately decrypt the passwords and keep them unencrypted in  
memory. The encryption key is suspected to be the same for all Loxone Config  
installations, but this has not been verified (no reverse engineering of  
Loxone Config has been performed). Access to the miniserver is not needed, it  
is simply enough to open the configuration file.  
  
The decrypted passwords of all users can be easily found in the dumped memory  
when searching for the username.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in firmware version 6.3.3.11 of  
the Loxone smart home, which was the most recent version at the time of discovery.  
  
It is assumed that all previous firmware versions are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2015-03-13: Contacting vendor through email, sending responsible disclosure  
policy, defining release deadline (4th May), asking for encryption keys  
2015-03-13: Vendor: no encryption available; sending advisory unencrypted  
2015-03-19: Answering question of Loxone regarding CSRF attacks  
2015-04-16: Asking for status update: Vendor asks to delay disclosure until  
14th May  
2015-05-13: Updated firmware v6.4.5.12 available  
2015-05-14: SEC Consult releases security advisory  
  
  
Solution:  
---------  
According to the vendor the firmware version v6.4.5.12 fixes the identified  
security issues.  
  
It can be downloaded at the following URL and should be installed immediately  
in order to increase the level of security:  
http://www.loxone.com/tl_files/loxone/downloads/config/Loxone-Config-6.4.5.12.zip  
  
  
Workaround:  
-----------  
Only connect to your miniserver via secure VPN and disable any port forwardings.  
Use an isolated PC (browser) to control the smart home and do not surf on the  
web while being logged in to the miniserver web interface.  
Use different passwords for all installations and don't reuse them.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Johannes Greil / @2015  
  
`