lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4474920d0561b6a7008308b91b747201@mail.sxpert.org>
Date: Wed, 17 Oct 2012 14:23:17 +0200
From: sxpert <sxpert@...ert.org>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Credentials leaks in Legrand-003598 /
	Bticino-F454 SCS Web Gateway

1. OVERVIEW

Credential leaks lead to complete compromise of home automation
system

2. BACKGROUND

The 2 devices are identical, and act as an IP gateway between
the SCS home automation bus, and an IP network.
The devices uses https for the web-front, and is also open on
port 20000 with an semi open protocol that allows controlling
everything at the owner's location.

3. VULNERABILITY DESCRIPTION

A file

https://[ip address of device]/TiWeb.xml

is directly accessible without requiring credential requests of
any sort, that contains plaintext login and passwords to the device
these credentials are all that's needed to reprogram the entire home
automation system, access video cameras in the installation, control
the burglar alarm, and more.

4. VERSIONS AFFECTED

Firmare 1.00.26

5. PROOF-OF-CONCEPT/EXPLOIT

just head to the url on an affected device. you can find those devices
by searching google for 'top_right_bticino' (and probably 
'top_right_legrand')

6. SOLUTION

upgrade to version 1.00.32 available

http://www.myopen-legrandgroup.com/devices/gateways/m/f454_-_003598/38439.aspx

7. VENDOR

Legrand Group

8. CREDIT

This vulnerability was found by Raphaël Jacquot, an independant 
security researcher

9. DISCLOSURE TIME-LINE

2012-07-23: Vendor Notified
2012-10-02: Vendor published non-vulnerable firmare 1.00.32
2012-10-17: Vulnerability disclosed

Best regards,

Raphaël Jacquot

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ