SEC Consult Vulnerability Lab Security Advisory < 20150514-0 > ======================================================================= title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware version <6.4.5.12 fixed version: 6.4.5.12 impact: Critical homepage: http://www.loxone.com found: 2015-03-12 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor & product description: ----------------------------- "Loxone Electronics was founded in 2009. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone." URL: http://www.loxone.com/enus/company/about-us.html Business recommendation: ------------------------ Most of the issues previously identified (see SEC Consult security advisory SA-20150227-0) seem not to have been fixed properly and are still exploitable either directly or by easily bypassing implemented measures. A very short crash-test of only a few hours even resulted in new vulnerabilities. The Loxone smart home has multiple design and implementation flaws which combined could be used by an attacker to: 1) remotely cause a denial of service condition which renders the smart home unusable which would effectively disable any Loxone-controlled alarm system, 2) steal the user's credentials for the management interface and fully control the smart home, 3) execute JavaScript code in the user's browser for further attacks, 4) control arbitrary devices connected to the system, e.g. switch on/off lights, remotely open doors or garages, disable alarm system, etc., 5) gain access to admin passwords of Loxone partners (e.g. electricians who are implementing the smart home solution at customers) and completely take over other smart homes of the same Loxone partner! It is recommended by SEC Consult not to use this smart home system until a thorough security analysis (white box) of all components has been performed by security professionals, as a very short crash test (Blackbox) already resulted in critical vulnerabilities. Vulnerability overview/description: ----------------------------------- 1) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary functions within the smart home system. All functions can be controlled via web based commands, e.g. in order to switch on lights, remotely open doors or garages, disable the alarm system, etc. This can still be exploited in the current Loxone version and it does not seem to be fixed properly. 2) HTTP Response Splitting / Header injection The web server of the Loxone smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). This can still be exploited in the current Loxone version and it does not seem to be fixed properly. The implemented measures/filters can be easily bypassed using double-encoded payloads. This attack is not limited to the admin interface, it can be exploited in any path of the webserver. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 3) Reflected cross-site scripting (XSS) vulnerability The web interface of Loxone smart home is vulnerable to reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could execute arbitrary JavaScript code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 2) as authenticated ones. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 4) Denial of service An attacker could perform a denial of service attack with simple measures, such as synflood attacks. During such an attack the system isn't accessible via the network and can't be controlled anymore which also means that alarm systems won't work! This can still be exploited in the current Loxone version and it does not seem to be fixed properly. The miniserver was not reachable during the attack and rebooted after a short while (a few seconds) when running the attack (depending on the bandwidth). Furthermore, other new DoS attack vectors have been identified, which crash the web interface and are not related to the bandwidth network attacks. 5) Decrypted Loxone config passwords in memory The "Loxone Config" programming software for the Loxone smart home allows saving the whole configuration into a XML file for backup or for user support (e.g. via ticketing system or discussion forum). This XML config file contains usernames and passwords of all configured users (admin or non-admin with different access levels). Loxone partners (e.g. electricians who are implementing the smart home at customers) may also send such config files to their customers or provide end users admin level access with different admin user accounts. The password of the Loxone partner's admin account is usually not shared and should be kept a secret. The passwords are stored encrypted (not hashed!) within the config file and are immediately decrypted in memory upon opening such a config file by the Loxone Config software. Access to the Loxone miniserver is not needed! An attacker exploiting this issue is able to gain access to the admin password of the Loxone partner! This is especially critical if the same password is being used in different customer installations. Attackers (e.g. one customer of the Loxone partner) can then directly manipulate or control other Loxone smart homes of the same Loxone partner! Proof of concept: ----------------- 1) Cross site request forgery (XSRF) This can still be exploited in the current Loxone version and it does not seem to be fixed entirely. As an example, the alarm system of the Loxone "demo case" can be disabled via this XSRF payload in case the admin has previously been authenticated for the web services and is surfing with the same web browser: 2) HTTP Response Splitting / Header injection The following payload only works by accessing the web interface when a user is _not_ authenticated which will be most of the time in regular use cases. This makes successful exploitation more easy. The WWW-Authenticate header is not properly sanitized and uses the URI for the "Basic realm" input. Any payload within the URL will be added to the realm. It is possible to inject new headers or manipulate the response body in order to inject arbitrary HTML/JavaScript code (Response splitting / Header injection). The following URL demonstrates this issue and injects some HTML/JavaScript code (combined XSS attack) that generates a popup as an example: http://$ip/%2522%250aContent-Type:%20text%252fhtml%250a%250a%253chtml%253e%253cscript%253ealert%28123%29%253c%252fscript%253e%253c%252fhtml%253e An attacker who is able to trick a user into clicking this link (e.g. phishing email or discussion forum) will for example be able to re-create the login page of the Loxone miniserver device and trick a user into sending username/password to an attacker-controlled server. 3) Reflected cross-site scripting (XSS) vulnerability To reproduce this behavior it is sufficient to open the following URL as an authenticated user (or social engineer the victim to enter the credentials when prompted), which will show a popup message and turn on the LED light of the Loxone demo case. The payload uses double-encoded values in order to bypass the previously incorrectly implemented filters: http://$ip/dev/sps/io/%2522%253E%253Cscript%2520xmlns=%2527http:%25 26%2523x2f%253B%2526%2523x2f%253Bwww.w3.org/1999/xhtml%2527%253Ealert%2528%2527 you%2520got%2520p0wned%2520again%2527%2529%253b%2520r=new%2520XMLHttpRequest %2528%2529;%2520r.open%2528%2527GET%2527,%2527/dev/sps/io/MK_T5/on%2527,true%2529;%2520r.send%2528%2529;%253C/script%253E 4) Denial of service Running the following command will keep the miniserver in a non-responsive state after a few seconds (depending on the bandwidth) and it will not recover until the attack is stopped (it will reboot afterwards). During this attack, nothing can be controlled anymore (no switch of the demo case worked): hping3 -S --flood -p 80 $ip Furthermore, the following HTTP request (sometimes it is necessary to send it a few times) renders the web interface itself unusable. It is not possible anymore to control the smart home as the web interface does not work properly anymore, e.g. afterwards connection reset/unreachable errors or login errors occur although the password has been correctly entered in the web interface, etc.): GET /index.html HTTP/1.1 Host: foo Sec-WebSocket-Key1: foo A reboot is necessary in order to make the web interface work again. 5) Decrypted Loxone config passwords in memory This vulnerability can be easily verified when dumping the memory of the attacker's system which every local attacker has access to if he wants to gain access to passwords of his Loxone partner or other configuration files published by users on the Internet! It has been verified by installing Loxone Config in a virtual environment (VirtualBox) and using the following command to gain access to the memory: VBoxManage debugvm $vmname dumpguestcore --filename dump Upon opening the config file (e.g. of any Loxone partner or other end user who has published his configuration at the discussion forum) the Loxone Config software will immediately decrypt the passwords and keep them unencrypted in memory. The encryption key is suspected to be the same for all Loxone Config installations, but this has not been verified (no reverse engineering of Loxone Config has been performed). Access to the miniserver is not needed, it is simply enough to open the configuration file. The decrypted passwords of all users can be easily found in the dumped memory when searching for the username. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in firmware version 6.3.3.11 of the Loxone smart home, which was the most recent version at the time of discovery. It is assumed that all previous firmware versions are affected as well. Vendor contact timeline: ------------------------ 2015-03-13: Contacting vendor through email, sending responsible disclosure policy, defining release deadline (4th May), asking for encryption keys 2015-03-13: Vendor: no encryption available; sending advisory unencrypted 2015-03-19: Answering question of Loxone regarding CSRF attacks 2015-04-16: Asking for status update: Vendor asks to delay disclosure until 14th May 2015-05-13: Updated firmware v6.4.5.12 available 2015-05-14: SEC Consult releases security advisory Solution: --------- According to the vendor the firmware version v6.4.5.12 fixes the identified security issues. It can be downloaded at the following URL and should be installed immediately in order to increase the level of security: http://www.loxone.com/tl_files/loxone/downloads/config/Loxone-Config-6.4.5.12.zip Workaround: ----------- Only connect to your miniserver via secure VPN and disable any port forwardings. Use an isolated PC (browser) to control the smart home and do not surf on the web while being logged in to the miniserver web interface. Use different passwords for all installations and don't reuse them. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Johannes Greil / @2015