CUJO Firewall User Enumeration / Authorization Bypass

` *TL;DR:* Despite CUJO Firewall is a cute device and quite challenging to  
break from hardware hacking point of view... the APIs (which are just a  
click away, once bypassed pinning and apk's obfuscation) suffer of  
authorization bypass issues.  
An attacker could easily enumerate all existing users, and for each of  
them, create a new 24/7 schedule that will be automatically enabled and  
will automatically pause internet.  
Which will end up into a DoS attack by denying internet access to all  
devices under CUJOas aprotectiona.  
Nonetheless, a malicious user could also delete all existing schedules for  
all CUJO's customers.  
  
*Vendor Description:*  
aCUJO is an intelligent firewall which aims to protect your connected home  
from online threats. From desktops to mobiles, tablets to smart TVs, CUJO  
monitors all network activity to keep you safe from harm.  
Once set up, CUJO <https://www.getcujo.com/> acts as a gateway between your  
devices and the outside world. It checks devices as they connect to your  
network, analyzes packets as they leave and arrive, looks for attempts to  
access malware command-and-control servers and tests for man-in-the-middle  
attacks. Threats are blocked automatically, although you can also see and  
control some of what's happening via iOS and Android apps.  
CUJO is much more than a simple hardware firewall. A lot of its processing  
is carried out in the cloud, where it analyzes metadata from your network  
connections, checks for problems and instructs your device to block any  
threats. This reduces the load on CUJO's own processor, and makes it easier  
for the system to detect brand-new dangers.  
Simple device-level parental controls are thrown in as a bonus, allowing  
you to block access to websites by type. There is no need to install  
software on the clients, everything is managed from CUJO and its apps.a from  
https://www.techradar.com/reviews/cujo  
  
  
[image: image.png]  
*Operational Overview & Prologue:*  
CUJO solution is composed of three different entities:  
  
- *CUJO Mobile App: *Obfuscated APK/IPA with Certificate Pinning, used  
to register and configure the CUJO Firewall.  
- *CUJO Firewall:* a physical device based on Octeon MIPS CPU** with  
dual gigabit ethernet NICs.  
- *CUJO Cloud: *server side infrastructure that acts as relay for all  
communications between the app and the device itself.  
  
  
[image: image.png]  
For each CUJOas account, multiple profiles can be created. And each profile  
may contain multiple schedules.The schedules can define:  
  
- When it will take effect (e.g. hourly, daily, only on certain days,  
etc.)  
- A specific rule (e.g. blocking websites categories, a specific list of  
domains, etc.)  
- If pausing internet or not (e.g. blocking all traffic)  
  
*Proof of Concept:* The following APIs lack of proper authorization checks:  
  
- GET /schedules?profileId=xxxxxxx  
- POST /schedules  
- PUT /schedules/yyyyyyyy  
- DELETE /schedules/zzzzzzz  
  
Which means that any CUJO customer could conduct the following malicious  
activities:  
  
- Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration.  
- Remote Arbitrary Users' Schedules Creation.  
- Remote Arbitrary Users' Schedules Deletion.  
  
  
*See Video PoC for a Detailed Explanation:  
https://www.youtube.com/watch?v=sjwAdNZotpg  
<https://www.youtube.com/watch?v=sjwAdNZotpg>*  
  
  
*Worst Case Scenario:*  
  
A malicious user could enumerate all existing users, and for each of them,  
create a new 24/7 schedule that will be automatically enabled and will  
automatically pause internet. Which will end up into a DoS attack by  
denying internet access to all devices under CUJOas aprotectiona.  
Nonetheless, a malicious user could also delete all existing schedules for  
all CUJO's customers.  
  
*Some Stats:* Meanwhile I was there... I tried enumerating with intruder  
around 100.000 Profiles in order to have an idea of CUJO's customers  
lifestyles... here some funny ones (click on the image to enlarge).  
  
  
<https://3.bp.blogspot.com/-5b9Dqkwm1nU/XE9wUHBHycI/AAAAAAAAAAQ/ihgyto1M6nkD-BKb9mbJ-MP2_iXJNX0FQCLcBGAs/s1600/schedules_1_REDACTED.png>  
  
Nonetheless, I wanted to have a feeling of how many CUJOs Firewall are out  
there activated that could be impacted by the API vulnerabilities above...  
and since a customer could have multiple profiles per each CUJO... I had to  
sort unique some data... and voila': 7011 CUJOs out there (at least).  
  
<https://4.bp.blogspot.com/-sdPtgQKClTw/XE9wREz9I-I/AAAAAAAAAAU/LEY-gV5V9VQCpjmbDnqLqJ1ZTh7lnhI3wCEwYBhgL/s1600/Unique_enumerated_CUJOs.JPG>  
  
  
*Vendor Contact Timeline:*  
  
*2019-01-28 - 11:00 UTC:* Vendor is notified through email to CEO &  
Support. With a 90 hours deadline before Full-Disclosure.  
*2019-01-28 - 15:00 UTC:* CEO confirms the vulnerability and confirms has  
been deployed a hotfix in PROD.  
*2019-01-29:* Recheck & Public Release of Security Advisory.  
`