*TL;DR:* Despite CUJO Firewall is a cute device and quite challenging to
break from hardware hacking point of view... the APIs (which are just a
click away, once bypassed pinning and apk's obfuscation) suffer of
authorization bypass issues.
An attacker could easily enumerate all existing users, and for each of
them, create a new 24/7 schedule that will be automatically enabled and
will automatically pause internet.
Which will end up into a DoS attack by denying internet access to all
devices under CUJOas aprotectiona.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Vendor Description:*
aCUJO is an intelligent firewall which aims to protect your connected home
from online threats. From desktops to mobiles, tablets to smart TVs, CUJO
monitors all network activity to keep you safe from harm.
Once set up, CUJO <https://www.getcujo.com/> acts as a gateway between your
devices and the outside world. It checks devices as they connect to your
network, analyzes packets as they leave and arrive, looks for attempts to
access malware command-and-control servers and tests for man-in-the-middle
attacks. Threats are blocked automatically, although you can also see and
control some of what's happening via iOS and Android apps.
CUJO is much more than a simple hardware firewall. A lot of its processing
is carried out in the cloud, where it analyzes metadata from your network
connections, checks for problems and instructs your device to block any
threats. This reduces the load on CUJO's own processor, and makes it easier
for the system to detect brand-new dangers.
Simple device-level parental controls are thrown in as a bonus, allowing
you to block access to websites by type. There is no need to install
software on the clients, everything is managed from CUJO and its apps.a from
https://www.techradar.com/reviews/cujo


[image: image.png]
*Operational Overview & Prologue:*
CUJO solution is composed of three different entities:

   - *CUJO Mobile App: *Obfuscated APK/IPA with Certificate Pinning, used
   to register and configure the CUJO Firewall.
   - *CUJO Firewall:* a physical device based on Octeon MIPS CPU** with
   dual gigabit ethernet NICs.
   - *CUJO Cloud: *server side infrastructure that acts as relay for all
   communications between the app and the device itself.


[image: image.png]
For each CUJOas account, multiple profiles can be created. And each profile
may contain multiple schedules.The schedules can define:

   - When it will take effect (e.g. hourly, daily, only on certain days,
   etc.)
   - A specific rule (e.g. blocking websites categories, a specific list of
   domains, etc.)
   - If pausing internet or not (e.g. blocking all traffic)

*Proof of Concept:* The following APIs lack of proper authorization checks:

   - GET /schedules?profileId=xxxxxxx
   - POST /schedules
   - PUT /schedules/yyyyyyyy
   - DELETE /schedules/zzzzzzz

Which means that any CUJO customer could conduct the following malicious
activities:

   - Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration.
   - Remote Arbitrary Users' Schedules Creation.
   - Remote Arbitrary Users' Schedules Deletion.


*See Video PoC for a Detailed Explanation:
https://www.youtube.com/watch?v=sjwAdNZotpg
<https://www.youtube.com/watch?v=sjwAdNZotpg>*


*Worst Case Scenario:*

A malicious user could enumerate all existing users, and for each of them,
create a new 24/7 schedule that will be automatically enabled and will
automatically pause internet.  Which will end up into a DoS attack by
denying internet access to all devices under CUJOas aprotectiona.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Some Stats:* Meanwhile I was there... I tried enumerating with intruder
around 100.000 Profiles in order to have an idea of CUJO's customers
lifestyles... here some funny ones (click on the image to enlarge).


<https://3.bp.blogspot.com/-5b9Dqkwm1nU/XE9wUHBHycI/AAAAAAAAAAQ/ihgyto1M6nkD-BKb9mbJ-MP2_iXJNX0FQCLcBGAs/s1600/schedules_1_REDACTED.png>

Nonetheless, I wanted to have a feeling of how many CUJOs Firewall are out
there activated that could be impacted by the API vulnerabilities above...
and since a customer could have multiple profiles per each CUJO... I had to
sort unique some data... and voila': 7011 CUJOs out there (at least).

<https://4.bp.blogspot.com/-sdPtgQKClTw/XE9wREz9I-I/AAAAAAAAAAU/LEY-gV5V9VQCpjmbDnqLqJ1ZTh7lnhI3wCEwYBhgL/s1600/Unique_enumerated_CUJOs.JPG>


*Vendor Contact Timeline:*

*2019-01-28 - 11:00 UTC:* Vendor is notified through email to CEO &
Support. With a 90 hours deadline before Full-Disclosure.
*2019-01-28 - 15:00 UTC:* CEO confirms the vulnerability and confirms has
been deployed a hotfix in PROD.
*2019-01-29:* Recheck & Public Release of Security Advisory.