SEC Consult Vulnerability Lab Security Advisory < 20150514-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Loxone Smart Home
 vulnerable version: Firmware version <6.4.5.12
      fixed version: 6.4.5.12
             impact: Critical
           homepage: http://www.loxone.com
              found: 2015-03-12
                 by: Johannes Greil (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor & product description:
-----------------------------
"Loxone Electronics was founded in 2009. Our focus is the development and
production of control solutions for all homes. Our aim is to make home
automation interesting, affordable and accessible for everyone."

URL: http://www.loxone.com/enus/company/about-us.html


Business recommendation:
------------------------
Most of the issues previously identified (see SEC Consult security advisory
SA-20150227-0) seem not to have been fixed properly and are still exploitable
either directly or by easily bypassing implemented measures. A very short
crash-test of only a few hours even resulted in new vulnerabilities.

The Loxone smart home has multiple design and implementation flaws which
combined could be used by an attacker to:
    1) remotely cause a denial of service condition which renders the smart
       home unusable which would effectively disable any Loxone-controlled
       alarm system,
    2) steal the user's credentials for the management interface and fully
       control the smart home,
    3) execute JavaScript code in the user's browser for further attacks,
    4) control arbitrary devices connected to the system, e.g. switch on/off
       lights, remotely open doors or garages, disable alarm system, etc.,
    5) gain access to admin passwords of Loxone partners (e.g. electricians
       who are implementing the smart home solution at customers) and
       completely take over other smart homes of the same Loxone partner!

It is recommended by SEC Consult not to use this smart home system until a
thorough security analysis (white box) of all components has been performed by
security professionals, as a very short crash test (Blackbox) already resulted
in critical vulnerabilities.


Vulnerability overview/description:
-----------------------------------
1) Cross-site request-forgery (XSRF)
The system is vulnerable to XSRF attacks. If an attacker is able to lure a user
into clicking a crafted link or by embedding such a link within web pages (e.g.
discussion forums) he could control arbitrary functions within the smart home
system.
All functions can be controlled via web based commands, e.g. in order to switch
on lights, remotely open doors or garages, disable the alarm system, etc.

This can still be exploited in the current Loxone version and it does not seem
to be fixed properly.


2) HTTP Response Splitting / Header injection
The web server of the Loxone smart home system is vulnerable to HTTP response
splitting attacks. If an attacker is able to lure a user into clicking a
crafted link (e.g. just by clicking a URL in a discussion forum or
phishing email) he could arbitrarily manipulate the server's response (e.g.
injection of JavaScript code).

This can still be exploited in the current Loxone version and it does not seem
to be fixed properly. The implemented measures/filters can be easily bypassed
using double-encoded payloads.

This attack is not limited to the admin interface, it can be exploited in any
path of the webserver.

SEC Consult has verified this attack in the most current versions of Mozilla
Firefox and Google Chrome web browsers.


3) Reflected cross-site scripting (XSS) vulnerability
The web interface of Loxone smart home is vulnerable to reflected cross-site
scripting attacks. If an attacker is able to lure a user into
clicking a crafted link (e.g. just by clicking a URL in a discussion forum or
phishing email) he could execute arbitrary JavaScript code in the user's
browser. Thereby he could steal the user's credentials or control arbitrary
devices within the smart home system. To exploit this vulnerability it isn't
mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities
exist as well (by exploiting the HTTP Response Splitting vulnerability
described in 2) as authenticated ones.

SEC Consult has verified this attack in the most current versions of Mozilla
Firefox and Google Chrome web browsers.


4) Denial of service
An attacker could perform a denial of service attack with simple measures, such
as synflood attacks. During such an attack the system isn't accessible via the
network and can't be controlled anymore which also means that alarm systems
won't work!

This can still be exploited in the current Loxone version and it does not seem
to be fixed properly. The miniserver was not reachable during the attack and
rebooted after a short while (a few seconds) when running the attack (depending
on the bandwidth).

Furthermore, other new DoS attack vectors have been identified, which crash the
web interface and are not related to the bandwidth network attacks.


5) Decrypted Loxone config passwords in memory
The "Loxone Config" programming software for the Loxone smart home allows saving
the whole configuration into a XML file for backup or for user support (e.g. via
ticketing system or discussion forum). This XML config file contains usernames
and passwords of all configured users (admin or non-admin with different access
levels).

Loxone partners (e.g. electricians who are implementing the smart home at
customers) may also send such config files to their customers or provide end
users admin level access with different admin user accounts. The password of
the Loxone partner's admin account is usually not shared and should be kept
a secret.

The passwords are stored encrypted (not hashed!) within the config file and are
immediately decrypted in memory upon opening such a config file by the Loxone
Config software. Access to the Loxone miniserver is not needed!

An attacker exploiting this issue is able to gain access to the admin password
of the Loxone partner! This is especially critical if the same password is being
used in different customer installations. Attackers (e.g. one customer of the
Loxone partner) can then directly manipulate or control other Loxone smart homes
of the same Loxone partner!


Proof of concept:
-----------------
1) Cross site request forgery (XSRF)

This can still be exploited in the current Loxone version and it does not seem
to be fixed entirely. As an example, the alarm system of the Loxone "demo case"
can be disabled via this XSRF payload in case the admin has previously been
authenticated for the web services and is surfing with the same web browser:
  <html>
  <img src=http://$ip/dev/sps/io/Alarmanlage/off></img>
  </html>


2) HTTP Response Splitting / Header injection

The following payload only works by accessing the web interface when a user is
_not_ authenticated which will be most of the time in regular use cases. This
makes successful exploitation more easy.

The WWW-Authenticate header is not properly sanitized and uses the URI for the
"Basic realm" input. Any payload within the URL will be added to the realm. It
is possible to inject new headers or manipulate the response body in order to
inject arbitrary HTML/JavaScript code (Response splitting / Header injection).

The following URL demonstrates this issue and injects some HTML/JavaScript code
(combined XSS attack) that generates a popup as an example:

    http://$ip/%2522%250aContent-Type:%20text%252fhtml%250a%250a%253chtml%253e%253cscript%253ealert%28123%29%253c%252fscript%253e%253c%252fhtml%253e


An attacker who is able to trick a user into clicking this link (e.g. phishing
email or discussion forum) will for example be able to re-create the login page
of the Loxone miniserver device and trick a user into sending username/password
to an attacker-controlled server.


3) Reflected cross-site scripting (XSS) vulnerability

To reproduce this behavior it is sufficient to open the following URL as an
authenticated user (or social engineer the victim to enter the credentials when
prompted), which will show a popup message and turn on the LED light of the
Loxone demo case. The payload uses double-encoded values in order to bypass the
previously incorrectly implemented filters:

    http://$ip/dev/sps/io/%2522%253E%253Cscript%2520xmlns=%2527http:%25
    26%2523x2f%253B%2526%2523x2f%253Bwww.w3.org/1999/xhtml%2527%253Ealert%2528%2527
    you%2520got%2520p0wned%2520again%2527%2529%253b%2520r=new%2520XMLHttpRequest
    %2528%2529;%2520r.open%2528%2527GET%2527,%2527/dev/sps/io/MK_T5/on%2527,true%2529;%2520r.send%2528%2529;%253C/script%253E



4) Denial of service

Running the following command will keep the miniserver in a non-responsive state
after a few seconds (depending on the bandwidth) and it will not recover until
the attack is stopped (it will reboot afterwards). During this attack, nothing
can be controlled anymore (no switch of the demo case worked):
    hping3 -S --flood -p 80 $ip

Furthermore, the following HTTP request (sometimes it is necessary to send it a
few times) renders the web interface itself unusable. It is not possible
anymore to control the smart home as the web interface does not work properly
anymore, e.g. afterwards connection reset/unreachable errors or login errors
occur although the password has been correctly entered in the web interface,
etc.):

    GET /index.html HTTP/1.1
    Host: foo
    Sec-WebSocket-Key1: foo

A reboot is necessary in order to make the web interface work again.


5) Decrypted Loxone config passwords in memory
This vulnerability can be easily verified when dumping the memory of the
attacker's system which every local attacker has access to if he wants to gain
access to passwords of his Loxone partner or other configuration files
published by users on the Internet!

It has been verified by installing Loxone Config in a virtual environment
(VirtualBox) and using the following command to gain access to the memory:

    VBoxManage debugvm $vmname dumpguestcore --filename dump

Upon opening the config file (e.g. of any Loxone partner or other end user who
has published his configuration at the discussion forum) the Loxone Config
software will immediately decrypt the passwords and keep them unencrypted in
memory. The encryption key is suspected to be the same for all Loxone Config
installations, but this has not been verified (no reverse engineering of
Loxone Config has been performed). Access to the miniserver is not needed, it
is simply enough to open the configuration file.

The decrypted passwords of all users can be easily found in the dumped memory
when searching for the username.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in firmware version 6.3.3.11 of
the Loxone smart home, which was the most recent version at the time of discovery.

It is assumed that all previous firmware versions are affected as well.


Vendor contact timeline:
------------------------
2015-03-13: Contacting vendor through email, sending responsible disclosure
            policy, defining release deadline (4th May), asking for encryption keys
2015-03-13: Vendor: no encryption available; sending advisory unencrypted
2015-03-19: Answering question of Loxone regarding CSRF attacks
2015-04-16: Asking for status update: Vendor asks to delay disclosure until
            14th May
2015-05-13: Updated firmware v6.4.5.12 available
2015-05-14: SEC Consult releases security advisory


Solution:
---------
According to the vendor the firmware version v6.4.5.12 fixes the identified
security issues.

It can be downloaded at the following URL and should be installed immediately
in order to increase the level of security:
http://www.loxone.com/tl_files/loxone/downloads/config/Loxone-Config-6.4.5.12.zip


Workaround:
-----------
Only connect to your miniserver via secure VPN and disable any port forwardings.
Use an isolated PC (browser) to control the smart home and do not surf on the
web while being logged in to the miniserver web interface.
Use different passwords for all installations and don't reuse them.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Johannes Greil / @2015