| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <HE1PR0701MB22832AF1DDD20D36DEF7CF1E9FAF0@HE1PR0701MB2283.eurprd07.prod.outlook.com> Date: Wed, 12 Jul 2017 16:06:23 +0000 From: Ilia Shnaidman <Ilia.Shnaidman@...lguard.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] [CVE-2017-7727] - SSRF vulnerability in iSmartAlarm [+] Credits: Ilia Shnaidman [+] Source: http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/ Vendor: ============= iSmartAlarm, inc. Product: ============= iSmartAlarm Backend iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems. It provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone, offering you full remote control via mobile app wherever you are. Vulnerability Type: ============= Server Side Request Forgery CVE Reference: ============= CVE-2017-7727 Security Issue: ================ Open Redirection - iSmartAlarm is not validating injection inside its api. Attack Vectors: =============== One of the backend api's contains an SSRF which allows me to use it as a proxy. An attacker can use iSmartAlarm's backend as a proxy server and potentially launch outbound attacks. PoC: https://api.ismartalarm.com:8443/api/downloadfile.ashx?url=https://ifconfig.io Network Access: =============== Remote Severity: ========= High Disclosure Timeline: ===================================== Jan 30, 2017: Initial contact to vendor Feb 1, 2017: Vendor replied, requesting details Feb 2, 2017: Disclosure to vendor Apr 12, 2017: After vendor didn't replied, I've approached CERT Apr 13, 2017: Confirmed receipt by CERT and assigning CVEs July 05, 2017: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists