lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 Jul 2017 16:06:23 +0000
From: Ilia Shnaidman <Ilia.Shnaidman@...lguard.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2017-7727] - SSRF vulnerability in iSmartAlarm

[+] Credits: Ilia Shnaidman
[+] Source:
http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/


Vendor:
=============
iSmartAlarm, inc.


Product:
=============
iSmartAlarm Backend

iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems.
It provides a fully integrated alarm system with siren, smart cameras and locks.
It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone,
offering you full remote control via mobile app wherever you are.


Vulnerability Type:
=============
Server Side Request Forgery


CVE Reference:
=============
CVE-2017-7727


Security Issue:
================
Open Redirection -
iSmartAlarm is not validating injection inside its api.


Attack Vectors:
===============
One of the backend api's contains an SSRF which allows me to use it as a proxy.
An attacker can use iSmartAlarm's backend as a proxy server and potentially launch outbound attacks.
PoC:
https://api.ismartalarm.com:8443/api/downloadfile.ashx?url=https://ifconfig.io


Network Access:
===============
Remote


Severity:
=========
High


Disclosure Timeline:
=====================================
Jan  30, 2017: Initial contact to vendor
Feb  1,  2017: Vendor replied, requesting details
Feb  2,  2017: Disclosure to vendor
Apr  12, 2017: After vendor didn't replied, I've approached CERT
Apr  13, 2017: Confirmed receipt by CERT and assigning CVEs
July 05, 2017: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists