lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Jan 2019 09:34:43 +0200
From: CUJ0 FAIL <cujo.fail@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple APIs Vulnerabilities in CUJO Firewall

 *TL;DR:* Despite CUJO Firewall is a cute device and quite challenging to
break from hardware hacking point of view... the APIs (which are just a
click away, once bypassed pinning and apk's obfuscation) suffer of
authorization bypass issues.
An attacker could easily enumerate all existing users, and for each of
them, create a new 24/7 schedule that will be automatically enabled and
will automatically pause internet.
Which will end up into a DoS attack by denying internet access to all
devices under CUJO’s “protection”.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Vendor Description:*
“CUJO is an intelligent firewall which aims to protect your connected home
from online threats. From desktops to mobiles, tablets to smart TVs, CUJO
monitors all network activity to keep you safe from harm.
Once set up, CUJO <https://www.getcujo.com/> acts as a gateway between your
devices and the outside world. It checks devices as they connect to your
network, analyzes packets as they leave and arrive, looks for attempts to
access malware command-and-control servers and tests for man-in-the-middle
attacks. Threats are blocked automatically, although you can also see and
control some of what's happening via iOS and Android apps.
CUJO is much more than a simple hardware firewall. A lot of its processing
is carried out in the cloud, where it analyzes metadata from your network
connections, checks for problems and instructs your device to block any
threats. This reduces the load on CUJO's own processor, and makes it easier
for the system to detect brand-new dangers.
Simple device-level parental controls are thrown in as a bonus, allowing
you to block access to websites by type. There is no need to install
software on the clients, everything is managed from CUJO and its apps.” from
https://www.techradar.com/reviews/cujo


[image: image.png]
*Operational Overview & Prologue:*
CUJO solution is composed of three different entities:

   - *CUJO Mobile App: *Obfuscated APK/IPA with Certificate Pinning, used
   to register and configure the CUJO Firewall.
   - *CUJO Firewall:* a physical device based on Octeon MIPS CPU** with
   dual gigabit ethernet NICs.
   - *CUJO Cloud: *server side infrastructure that acts as relay for all
   communications between the app and the device itself.


[image: image.png]
For each CUJO’s account, multiple profiles can be created. And each profile
may contain multiple schedules.The schedules can define:

   - When it will take effect (e.g. hourly, daily, only on certain days,
   etc.)
   - A specific rule (e.g. blocking websites categories, a specific list of
   domains, etc.)
   - If pausing internet or not (e.g. blocking all traffic)

*Proof of Concept:* The following APIs lack of proper authorization checks:

   - GET /schedules?profileId=xxxxxxx
   - POST /schedules
   - PUT /schedules/yyyyyyyy
   - DELETE /schedules/zzzzzzz

Which means that any CUJO customer could conduct the following malicious
activities:

   - Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration.
   - Remote Arbitrary Users' Schedules Creation.
   - Remote Arbitrary Users' Schedules Deletion.


*See Video PoC for a Detailed Explanation:
https://www.youtube.com/watch?v=sjwAdNZotpg
<https://www.youtube.com/watch?v=sjwAdNZotpg>*


*Worst Case Scenario:*

A malicious user could enumerate all existing users, and for each of them,
create a new 24/7 schedule that will be automatically enabled and will
automatically pause internet.  Which will end up into a DoS attack by
denying internet access to all devices under CUJO’s “protection”.
Nonetheless, a malicious user could also delete all existing schedules for
all CUJO's customers.

*Some Stats:* Meanwhile I was there... I tried enumerating with intruder
around 100.000 Profiles in order to have an idea of CUJO's customers
lifestyles... here some funny ones (click on the image to enlarge).


<https://3.bp.blogspot.com/-5b9Dqkwm1nU/XE9wUHBHycI/AAAAAAAAAAQ/ihgyto1M6nkD-BKb9mbJ-MP2_iXJNX0FQCLcBGAs/s1600/schedules_1_REDACTED.png>

Nonetheless, I wanted to have a feeling of how many CUJOs Firewall are out
there activated that could be impacted by the API vulnerabilities above...
and since a customer could have multiple profiles per each CUJO... I had to
sort unique some data... and voila': 7011 CUJOs out there (at least).

<https://4.bp.blogspot.com/-sdPtgQKClTw/XE9wREz9I-I/AAAAAAAAAAU/LEY-gV5V9VQCpjmbDnqLqJ1ZTh7lnhI3wCEwYBhgL/s1600/Unique_enumerated_CUJOs.JPG>


*Vendor Contact Timeline:*

*2019-01-28 - 11:00 UTC:* Vendor is notified through email to CEO &
Support. With a 90 hours deadline before Full-Disclosure.
*2019-01-28 - 15:00 UTC:* CEO confirms the vulnerability and confirms has
been deployed a hotfix in PROD.
*2019-01-29:* Recheck & Public Release of Security Advisory.

Download attachment "image.png" of type "image/png" (163365 bytes)

Download attachment "image.png" of type "image/png" (101130 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists