exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Loxone Smart Home CSRF / XSS / DoS / Credential Leakage

Loxone Smart Home CSRF / XSS / DoS / Credential Leakage
Posted Feb 28, 2015
Authored by Daniel Schwarz | Site sec-consult.com

Loxone Smart Home versions prior to 6.3 suffer from cross site request forgery, cross site scripting, poor credential handling, unencrypted transport, denial of service, and various other vulnerabilities.

tags | exploit, denial of service, vulnerability, xss, csrf
SHA-256 | 02c29ae33d4acb1828256438a75351814733be4ec3b4087cf344e27f99e97071

Loxone Smart Home CSRF / XSS / DoS / Credential Leakage

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20150227-0 >
=======================================================================
title: Multiple vulnerabilities
product: Loxone Smart Home
vulnerable version: Firmware: 5.49; Android-App: 3.4.1
fixed version: 6.3
impact: High
homepage: http://www.loxone.com
found: 2014-07-02
by: Daniel Schwarz (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

Manuel Deticek, Alexander Inführ, Robert Pölzelbauer
FH-St.Pölten - Institut für IT Sicherheitsforschung
http://www.fhstp.ac.at

=======================================================================

Vendor & product description:
-----------------------------
"Loxone Electronics was founded in 2008. Our focus is the development and
production of control solutions for all homes. Our aim is to make home
automation interesting, affordable and accessible for everyone."

URL: http://www.loxone.com/enus/company/about-us.html

"The Loxone Smart Home gives the owner full control of every device or
task using a wall switch, phone or smart tablet. Control and automte
areas such as: Lighting, Climate, Security, Audio/Video, Shading, and
event Pool and irrigation systems. Your system will adapt all areas of
your home providing complete smart home automation."

URL: http://www.loxone.com/enus/smart-home/overview.html


Business recommendation:
------------------------
The Loxone Smart Home has multiple design and implementation
flaws which could be used by an attacker to:
1) cause a denial of service,
2) steal the user's credentials,
3) execute JavaScript code in the user's browser or
4) control arbitrary devices connected to the system.

It is recommended by SEC Consult not to use this system until a thorough
security review has been performed by security professionals and all identified
issues have been resolved.



Vulnerability overview/description:
-----------------------------------
1) Unencrypted data-transmission
All available communication is unencrypted and could therefore get intercepted
and manipulated by a man-in-the-middle attacker. This enables an attacker to
control every device within the smart home system. Furthermore a plaintext
authentication mechanism is supported which enables an attacker to steal
user-credentials.

2) Missing state-of-the-art http-header
The http-headers set doesn't comply with the current state-of-the-art.
Therefore it is possible to embed the webinterface within an iframe and misuse
it for phishing attacks. Furthermore no CSP-Headers are set in order to prevent
cross-site scripting attacks.

3) Cross-site request-forgery (XSRF)
The system is vulnerable to XSRF attacks. If an attacker is able to lure a user
into clicking a crafted link or by embedding such a link within web pages (e.g.
discussion forums) he could control arbitrary devices within the smart home
system.

4) HTTP Response Splitting
The backend of the smart home system is vulnerable to HTTP response splitting
attacks. If an attacker is able to lure a user into clicking a crafted link he
could arbitrarily manipulate the server's response (e.g. injection of
JavaScript code).

5) Multiple reflected cross-site scripting (XSS) vulnerabilities
The admin webinterface of Loxone Smart Home is vulnerable to multiple reflected
cross-site scripting attacks. If an attacker is able to lure a user into
clicking a crafted link he could execute arbitrary JavaScript-code in the
user's browser. Thereby he could steal the user's credentials or control
arbitrary devices within the smart home system. To exploit this vulnerability
it isn't mandatory for the user to be authenticated. Unauthenticated XSS
vulnerabilities exist as well (by exploiting the HTTP Response Splitting
vulnerability described in 4) as authenticated ones.

6) Stored cross-site scripting vulnerability
Beside the already mentioned reflected XSS vulnerabilities the Loxone Smart
Home System also contains a stored XSS vulnerability. An authenticated attacker
is able to persistently inject JavaScript code in the user webinterface. This
code gets executed in the context of other users at every login as well as by
calling a certain functionality of the webinterface. The injection of the code
itself could either be done via the webinterface or could also be conducted
through the already mentioned XSRF vulnerability. Therefore it is not necessary
for the attacker to login explicitly. After circumventing some
filtering-obstacles an attacker for example could be able to automatically
disable a connected alarm-system everyday at midnight.

7) Insecure storage of credentials by the remember-me function
The user webinterface contains a remember-me functionality which stores the
user credentials in an insecure way. Basically they get stored encrypted, but
the key could be requested unauthenticated by everyone. In combination with
one of the already mentioned XSS vulnerabilities it is possible to steal the
user credentials without the user's notice.

8) Credentials stored in cleartext on Android devices
The user credentials get stored in cleartext after the first login via the
Loxone Android app. On a rooted device the credentials could get stolen (e.g.
by malware). The user has to manually "Logout" or clear the configuration to
delete the credentials from the app storage.

9) Denial of service
An attacker could perform a denial of service attack with simple measures (e.g.
synflood, etc.). During and after such an attack the system isn't accessible
via the network interface and couldn't be controlled anymore. Furthermore the
system doesn't recover after the attack and has to be manually restarted in
order to work properly.


Proof of concept:
-----------------
1) Unencrypted data-transmission

The proof of concept code has been removed since no fix is available to
mitigate this issue.


2) Missing state-of-the-art http-header

The proof of concept code has been removed since no fix is available to
mitigate this issue.


3) Cross-site request-forgery (XSRF)

Basically all devices are controlled by websocket-requests.
E.g. turn on the alarm-system:
jdev/sps/io/32a4981e-f5af-11e1-8d4ac9ef1f112e83/on

In addition all devices could be controlled by http-basic authenticated
GET-requests. An attacker just has to lure a user who is authenticated against
the admin interface into clicking the following link in order to disable the
device with the id '32a4981e-f5af-11e1-8d4ac9ef1f112e83':

http://<server-ip>/dev/sps/io/32a4981e-f5af-11e1-8d4ac9ef1f112e83/off

Within the official democase, this device is the alarm system.
In accordance to the vendor this vulnerability is basically fixed in version
6.3. It is just possible to alter the ip address of the Smart Home System via
this technique, but it should not be possible to control attached devices any more.


4) HTTP Response Splitting

Some parts of a request's URL get returned unescaped within the response's
authentication-realm. It is possible to cut off the current response-header by
injecting the string "%0D%0A%0D%0A". Afterwards a new arbitrary response body
could be appended (e.g. some JavaScript code). To reproduce this behaviour it
is sufficient to open the following URL as an unauthenticated user:

http://<server-ip>/dev/cfg/version%0D%0A%0D%0A%3Chtml%3E%3Cscri
pt%3Ealert%28%27XSS%27%29%3C/script%3E%3C/html%3E

The server answers with the following response and the injected JavaScript
code gets executed:

HTTP/1.1 401 Unauthorized
Server: Loxone 5.49.3.4
WWW-Authenticate: Basic realm="dev/cfg/version
<html><script>alert('XSS')</script><"
Content-Type: text/html
Content-Length: 93
Connection: close
<html><head><title>Loxone Miniserver
error</title></head><body>401 Unauthorized</body></html>

According to the vendor this issue is basically fixed in version 6.3.


5) Multiple reflected cross-site scripting (XSS) vulnerabilities

To reproduce this behavior it is sufficient to open the following URL as an
http-authenticated admin user (or enter the credentials when prompted), which will
show a popup message and turns on the LED-lights of the loxone democase:

http://<server-ip>/dev/sps/io/%22%3E%3Cscript%20xmlns=%27http:%
26%23x2f%3B%26%23x2f%3Bwww.w3.org/1999/xhtml%27%3Ealert%28%27
you%20got%20p0wned%20again%27%29%3b%20r=new%20XMLHttpRequest
%28%29;%20r.open%28%27GET%27,%27/dev/sps/io/c447fcde-f5aa-11e1-
b157c9ef1f112e83/AI1/on%27,true%29;%20r.send%28%29;%3C/script%3E

The server answers with the following response:
HTTP/1.1 200 OK
Server: Loxone 5.49.3.4
Content-Type: text/xml
Content-Length: 301
Keep-Alive: timeout=10, max=1000
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<LL control="dev/sps/io/"><script
xmlns='http:&#x2f;&#x2f;alert'>alert'>www.w3.org/1999/xhtml'>alert('you
got p0wned again'); r=new XMLHttpRequest();
r.open('GET','/dev/sps/io/c447fcde-f5aa-11e1-
b157c9ef1f112e83/AI1/on',true); r.send();</script>" value=""
Code="500"/>

According to the vendor this issue is basically fixed in version 6.3.


6) Stored cross-site scripting vulnerability

It is possible to permanently store JavaScript code within the backend of the
smart home system. This could be achieved by injecting the code in the
description field of a new task, created in the webinterface.
In combination with the XSRF vulnerability described in 3, this could also be
done by sending the following request:

http://<server-ip>/dev/sps/addcmd/2015-12-
24%2023:59:00/innocent_testtask%20%3Csvg%20onload=alert%281%29%3
E/32a4981e-f5af-11e1-8d4ac9ef1f112e83/off

This payload creates a task which switches off the alarm system at 2015-12-24
23:59. Additionally the description field contains the injected JavaScript
payload. This payload gets executed everytime a user logs in to the
webinterface or explicitly opens the tasklist.

According to the vendor this issue is basically fixed in version 6.3.


7) Insecure storage of credentials by the remember-me function

The proof of concept code has been removed since no fix is available to
mitigate this issue.


8) Credentials stored in cleartext on android-devices

The proof of concept code has been removed since no fix is available to
mitigate this issue.


9) Denial of service

The primary denial of service attack was conducted by simply running the
metasploit-module "synflood".

Furthermore it was possible to cause a denial of service in various other ways,
e.g. by running a Nmap scan or by sending malformed http-requests (e.g. if
"HTTP/1.1" is missing in several requests, the following correct requests don't
get processed correctly).

According to the vendor this issues are basically fixed in version 6.3.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Loxone Smart Home,
Firmware-Version 5.49 (official Democase) and Loxone Android App 3.4.1 which
were the most recent versions at the time of discovery.

Older versions or versions between 5.49 and the current fixed version 6.3 have
not been tested and may be affected as well.



Vendor contact timeline:
------------------------
The initial vendor contact was performed by the cooperation partner polytechnic
university St. Pölten, Austria [FH STP].

2014-08-11: Contacting vendor through email [FH STP]
2014-09: Release of updated firmware version 6.0
2014-12-19: Coordination between vendor and SEC Consult regarding planned advisory
and current state of vulnerabilities by phone and email
2015-01-16: Coordination between vendor and SEC Consult regarding planned advisory
and current state of vulnerabilities by phone
2015-02-03: Coordination between vendor and SEC Consult regarding planned advisory
and current state of vulnerabilities by email
2015-02-25: Release of updated firmware version 6.3
2015-02-27: Release of security advisory


Solution:
---------
Update to the latest availble firmware version (6.3):
http://www.loxone.com/enus/service/downloads.html

The vendor claimed that most of the vulnerabilities have been fixed since
version 6.3.
The following vulnerabilities haven't been fixed yet:
1) Unencrypted data-transmission
2) Missing state-of-the-art http-header
7) Insecure storage of credentials by the remember-me function (will be
fixed in version 6.4)
8) Credentials stored in cleartext on android-devices

These statements were not verified by SEC Consult.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Daniel Schwarz / @2015

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close