what you don't know can hurt you

CUJO Firewall User Enumeration / Authorization Bypass

CUJO Firewall User Enumeration / Authorization Bypass
Posted Feb 2, 2019
Authored by CUJ0 FAIL

CUJO Firewall suffered from authorization bypass, denial of service, and user enumeration vulnerabilities.

tags | exploit, denial of service, vulnerability, bypass
MD5 | a776aca0dd2b5d8fb4f09e13e4eceda3

CUJO Firewall User Enumeration / Authorization Bypass

Change Mirror Download
 *TL;DR:* Despite CUJO Firewall is a cute device and quite challenging to
break from hardware hacking point of view... the APIs (which are just a
click away, once bypassed pinning and apk's obfuscation) suffer of
authorization bypass issues.
An attacker could easily enumerate all existing users, and for each of
them, create a new 24/7 schedule that will be automatically enabled and
will automatically pause internet.
Which will end up into a DoS attack by denying internet access to all
devices under CUJOas aprotectiona.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Vendor Description:*
aCUJO is an intelligent firewall which aims to protect your connected home
from online threats. From desktops to mobiles, tablets to smart TVs, CUJO
monitors all network activity to keep you safe from harm.
Once set up, CUJO <https://www.getcujo.com/> acts as a gateway between your
devices and the outside world. It checks devices as they connect to your
network, analyzes packets as they leave and arrive, looks for attempts to
access malware command-and-control servers and tests for man-in-the-middle
attacks. Threats are blocked automatically, although you can also see and
control some of what's happening via iOS and Android apps.
CUJO is much more than a simple hardware firewall. A lot of its processing
is carried out in the cloud, where it analyzes metadata from your network
connections, checks for problems and instructs your device to block any
threats. This reduces the load on CUJO's own processor, and makes it easier
for the system to detect brand-new dangers.
Simple device-level parental controls are thrown in as a bonus, allowing
you to block access to websites by type. There is no need to install
software on the clients, everything is managed from CUJO and its apps.a from
https://www.techradar.com/reviews/cujo


[image: image.png]
*Operational Overview & Prologue:*
CUJO solution is composed of three different entities:

- *CUJO Mobile App: *Obfuscated APK/IPA with Certificate Pinning, used
to register and configure the CUJO Firewall.
- *CUJO Firewall:* a physical device based on Octeon MIPS CPU** with
dual gigabit ethernet NICs.
- *CUJO Cloud: *server side infrastructure that acts as relay for all
communications between the app and the device itself.


[image: image.png]
For each CUJOas account, multiple profiles can be created. And each profile
may contain multiple schedules.The schedules can define:

- When it will take effect (e.g. hourly, daily, only on certain days,
etc.)
- A specific rule (e.g. blocking websites categories, a specific list of
domains, etc.)
- If pausing internet or not (e.g. blocking all traffic)

*Proof of Concept:* The following APIs lack of proper authorization checks:

- GET /schedules?profileId=xxxxxxx
- POST /schedules
- PUT /schedules/yyyyyyyy
- DELETE /schedules/zzzzzzz

Which means that any CUJO customer could conduct the following malicious
activities:

- Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration.
- Remote Arbitrary Users' Schedules Creation.
- Remote Arbitrary Users' Schedules Deletion.


*See Video PoC for a Detailed Explanation:
https://www.youtube.com/watch?v=sjwAdNZotpg
<https://www.youtube.com/watch?v=sjwAdNZotpg>*


*Worst Case Scenario:*

A malicious user could enumerate all existing users, and for each of them,
create a new 24/7 schedule that will be automatically enabled and will
automatically pause internet. Which will end up into a DoS attack by
denying internet access to all devices under CUJOas aprotectiona.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Some Stats:* Meanwhile I was there... I tried enumerating with intruder
around 100.000 Profiles in order to have an idea of CUJO's customers
lifestyles... here some funny ones (click on the image to enlarge).


<https://3.bp.blogspot.com/-5b9Dqkwm1nU/XE9wUHBHycI/AAAAAAAAAAQ/ihgyto1M6nkD-BKb9mbJ-MP2_iXJNX0FQCLcBGAs/s1600/schedules_1_REDACTED.png>

Nonetheless, I wanted to have a feeling of how many CUJOs Firewall are out
there activated that could be impacted by the API vulnerabilities above...
and since a customer could have multiple profiles per each CUJO... I had to
sort unique some data... and voila': 7011 CUJOs out there (at least).

<https://4.bp.blogspot.com/-sdPtgQKClTw/XE9wREz9I-I/AAAAAAAAAAU/LEY-gV5V9VQCpjmbDnqLqJ1ZTh7lnhI3wCEwYBhgL/s1600/Unique_enumerated_CUJOs.JPG>


*Vendor Contact Timeline:*

*2019-01-28 - 11:00 UTC:* Vendor is notified through email to CEO &
Support. With a 90 hours deadline before Full-Disclosure.
*2019-01-28 - 15:00 UTC:* CEO confirms the vulnerability and confirms has
been deployed a hotfix in PROD.
*2019-01-29:* Recheck & Public Release of Security Advisory.
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close