Multiple vulnerabilities in Loxone Smart Home (part 2)

SEC Consult Vulnerability Lab Security Advisory < 20150514-0 >

=======================================================================

title: Multiple vulnerabilities

product: Loxone Smart Home

vulnerable version: Firmware version <6.4.5.12

fixed version: 6.4.5.12

impact: Critical

homepage: www.loxone.com

found: 2015-03-12

by: Johannes Greil (Office Vienna)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor & product description:

-----------------------------

"Loxone Electronics was founded in 2009. Our focus is the development and

production of control solutions for all homes. Our aim is to make home

automation interesting, affordable and accessible for everyone."

 

URL: www.loxone.com/enus/company/about-us.html

 

 

Business recommendation:

------------------------

Most of the issues previously identified (see SEC Consult security advisory

SA-20150227-0) seem not to have been fixed properly and are still exploitable

either directly or by easily bypassing implemented measures. A very short

crash-test of only a few hours even resulted in new vulnerabilities.

 

The Loxone smart home has multiple design and implementation flaws which

combined could be used by an attacker to:

1) remotely cause a denial of service condition which renders the smart

home unusable which would effectively disable any Loxone-controlled

alarm system,

2) steal the user's credentials for the management interface and fully

control the smart home,

3) execute JavaScript code in the user's browser for further attacks,

4) control arbitrary devices connected to the system, e.g. switch on/off

lights, remotely open doors or garages, disable alarm system, etc.,

5) gain access to admin passwords of Loxone partners (e.g. electricians

who are implementing the smart home solution at customers) and

completely take over other smart homes of the same Loxone partner!

 

It is recommended by SEC Consult not to use this smart home system until a

thorough security analysis (white box) of all components has been performed by

security professionals, as a very short crash test (Blackbox) already resulted

in critical vulnerabilities.

 

 

Vulnerability overview/description:

-----------------------------------

1) Cross-site request-forgery (XSRF)

The system is vulnerable to XSRF attacks. If an attacker is able to lure a user

into clicking a crafted link or by embedding such a link within web pages (e.g.

discussion forums) he could control arbitrary functions within the smart home

system.

All functions can be controlled via web based commands, e.g. in order to switch

on lights, remotely open doors or garages, disable the alarm system, etc.

 

This can still be exploited in the current Loxone version and it does not seem

to be fixed properly.

 

 

2) HTTP Response Splitting / Header injection

The web server of the Loxone smart home system is vulnerable to HTTP response

splitting attacks. If an attacker is able to lure a user into clicking a

crafted link (e.g. just by clicking a URL in a discussion forum or

phishing email) he could arbitrarily manipulate the server's response (e.g.

injection of JavaScript code).

 

This can still be exploited in the current Loxone version and it does not seem

to be fixed properly. The implemented measures/filters can be easily bypassed

using double-encoded payloads.

 

This attack is not limited to the admin interface, it can be exploited in any

path of the webserver.

 

SEC Consult has verified this attack in the most current versions of Mozilla

Firefox and Google Chrome web browsers.

 

 

3) Reflected cross-site scripting (XSS) vulnerability

The web interface of Loxone smart home is vulnerable to reflected cross-site

scripting attacks. If an attacker is able to lure a user into

clicking a crafted link (e.g. just by clicking a URL in a discussion forum or

phishing email) he could execute arbitrary JavaScript code in the user's

browser. Thereby he could steal the user's credentials or control arbitrary

devices within the smart home system. To exploit this vulnerability it isn't

mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities

exist as well (by exploiting the HTTP Response Splitting vulnerability

described in 2) as authenticated ones.

 

SEC Consult has verified this attack in the most current versions of Mozilla

Firefox and Google Chrome web browsers.

 

 

4) Denial of service

An attacker could perform a denial of service attack with simple measures, such

as synflood attacks. During such an attack the system isn't accessible via the

network and can't be controlled anymore which also means that alarm systems

won't work!

 

This can still be exploited in the current Loxone version and it does not seem

to be fixed properly. The miniserver was not reachable during the attack and

rebooted after a short while (a few seconds) when running the attack (depending

on the bandwidth).

 

Furthermore, other new DoS attack vectors have been identified, which crash the

web interface and are not related to the bandwidth network attacks.

 

 

5) Decrypted Loxone config passwords in memory

The "Loxone Config" programming software for the Loxone smart home allows saving

the whole configuration into a XML file for backup or for user support (e.g. via

ticketing system or discussion forum). This XML config file contains usernames

and passwords of all configured users (admin or non-admin with different access

levels).

 

Loxone partners (e.g. electricians who are implementing the smart home at

customers) may also send such config files to their customers or provide end

users admin level access with different admin user accounts. The password of

the Loxone partner's admin account is usually not shared and should be kept

a secret.

 

The passwords are stored encrypted (not hashed!) within the config file and are

immediately decrypted in memory upon opening such a config file by the Loxone

Config software. Access to the Loxone miniserver is not needed!

 

An attacker exploiting this issue is able to gain access to the admin password

of the Loxone partner! This is especially critical if the same password is being

used in different customer installations. Attackers (e.g. one customer of the

Loxone partner) can then directly manipulate or control other Loxone smart homes

of the same Loxone partner!

 

 

Proof of concept:

-----------------

1) Cross site request forgery (XSRF)

 

This can still be exploited in the current Loxone version and it does not seem

to be fixed entirely. As an example, the alarm system of the Loxone "demo case"

can be disabled via this XSRF payload in case the admin has previously been

authenticated for the web services and is surfing with the same web browser:

  <html>
  <img src=http://$ip/dev/sps/io/Alarmanlage/off></img>
  </html>

 

 

2) HTTP Response Splitting / Header injection

 

The following payload only works by accessing the web interface when a user is

_not_ authenticated which will be most of the time in regular use cases. This

makes successful exploitation more easy.

 

The WWW-Authenticate header is not properly sanitized and uses the URI for the

"Basic realm" input. Any payload within the URL will be added to the realm. It

is possible to inject new headers or manipulate the response body in order to

inject arbitrary HTML/JavaScript code (Response splitting / Header injection).

 

The following URL demonstrates this issue and injects some HTML/JavaScript code

(combined XSS attack) that generates a popup as an example:

 

http:// $ip/%2522%250aContent-Type:%20text%252fhtml%250a%250a%253chtml%253e%253cscript%253ealert%28123%29%253c%252fscript%253e%253c%252fhtml%253e

 

 

An attacker who is able to trick a user into clicking this link (e.g. phishing

email or discussion forum) will for example be able to re-create the login page

of the Loxone miniserver device and trick a user into sending username/password

to an attacker-controlled server.

 

 

3) Reflected cross-site scripting (XSS) vulnerability

 

To reproduce this behavior it is sufficient to open the following URL as an

authenticated user (or social engineer the victim to enter the credentials when

prompted), which will show a popup message and turn on the LED light of the

Loxone demo case. The payload uses double-encoded values in order to bypass the

previously incorrectly implemented filters:

  http: //$ip/dev/sps/io/%2522%253E%253Cscript%2520xmlns=%2527http:%25
    26%2523x2f%253B%2526%2523x2f%253Bwww.w3.org/1999/xhtml%2527%253Ealert%2528%2527
    you%2520got%2520p0wned%2520again%2527%2529%253b%2520r=new%2520XMLHttpRequest
    %2528%2529;%2520r.open%2528%2527GET%2527,%2527/dev/sps/io/MK_T5/on%2527,true%2529;%2520r.send%2528%2529;%253C/script%253E

 

4) Denial of service

 

Running the following command will keep the miniserver in a non-responsive state

after a few seconds (depending on the bandwidth) and it will not recover until

the attack is stopped (it will reboot afterwards). During this attack, nothing

can be controlled anymore (no switch of the demo case worked):

hping3 -S --flood -p 80 $ip

 

Furthermore, the following HTTP request (sometimes it is necessary to send it a

few times) renders the web interface itself unusable. It is not possible

anymore to control the smart home as the web interface does not work properly

anymore, e.g. afterwards connection reset/unreachable errors or login errors

occur although the password has been correctly entered in the web interface,

etc.):

    GET /index.html HTTP/1.1
    Host: foo
    Sec-WebSocket-Key1: foo

 

A reboot is necessary in order to make the web interface work again.

 

 

5) Decrypted Loxone config passwords in memory

This vulnerability can be easily verified when dumping the memory of the

attacker's system which every local attacker has access to if he wants to gain

access to passwords of his Loxone partner or other configuration files

published by users on the Internet!

 

It has been verified by installing Loxone Config in a virtual environment

(VirtualBox) and using the following command to gain access to the memory:

 

VBoxManage debugvm $vmname dumpguestcore --filename dump

 

Upon opening the config file (e.g. of any Loxone partner or other end user who

has published his configuration at the discussion forum) the Loxone Config

software will immediately decrypt the passwords and keep them unencrypted in

memory. The encryption key is suspected to be the same for all Loxone Config

installations, but this has not been verified (no reverse engineering of

Loxone Config has been performed). Access to the miniserver is not needed, it

is simply enough to open the configuration file.

 

The decrypted passwords of all users can be easily found in the dumped memory

when searching for the username.

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in firmware version 6.3.3.11 of

the Loxone smart home, which was the most recent version at the time of discovery.

 

It is assumed that all previous firmware versions are affected as well.

 

 

Vendor contact timeline:

------------------------

2015-03-13: Contacting vendor through email, sending responsible disclosure

policy, defining release deadline (4th May), asking for encryption keys

2015-03-13: Vendor: no encryption available; sending advisory unencrypted

2015-03-19: Answering question of Loxone regarding CSRF attacks

2015-04-16: Asking for status update: Vendor asks to delay disclosure until

14th May

2015-05-13: Updated firmware v6.4.5.12 available

2015-05-14: SEC Consult releases security advisory

 

 

Solution:

---------

According to the vendor the firmware version v6.4.5.12 fixes the identified

security issues.

 

It can be downloaded at the following URL and should be installed immediately

in order to increase the level of security:

www.loxone.com/tl_files/loxone/downloads/config/Loxone-Config-6.4.5.12.zip

 

 

Workaround:

-----------

Only connect to your miniserver via secure VPN and disable any port forwardings.

Use an isolated PC (browser) to control the smart home and do not surf on the

web while being logged in to the miniserver web interface.

Use different passwords for all installations and don't reuse them.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Johannes Greil / @2015