Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve check method in Belkin Wemo UPnP RCE #11452

Closed
wvu opened this issue Feb 22, 2019 · 17 comments · Fixed by #11464
Closed

Improve check method in Belkin Wemo UPnP RCE #11452

wvu opened this issue Feb 22, 2019 · 17 comments · Fixed by #11464
Assignees
@wvu
Labels
enhancement module

Comments

@wvu
Copy link
Contributor

wvu commented Feb 22, 2019
edited
Loading

Putting this ticket up so I don't forget.

I wanted to improve the check method in exploit/linux/upnp/belkin_wemo_upnp_exec and auxiliary/admin/wemo/crockpot (irrelevant) a firmware version check, but I forgot the UPnP action and don't have access to the device at the moment.

Edit: I also didn't discover the vulnerable version number until much later in development. Now we have it.

@nstarke has kindly volunteered to help with that this weekend. No pressure. This is just for coordination. :P

For #10731 and #11409.
@wvu wvu self-assigned this Feb 22, 2019
@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

Example request response cycles below:

Request:

POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPAction: "urn:Belkin:service:firmwareupdate:1#GetFirmwareVersion"
Host: 192.168.40.102:49153
Content-Type: text/xml
Content-Length: 275
Connection: close

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
	<u:GetFirmwareVersion xmlns:u="urn:Belkin:service:firmwareupdate:1">

	</u:GetFirmwareVersion>
</s:Body>
</s:Envelope>

Response:

HTTP/1.1 200 OK
CONTENT-LENGTH: 377
CONTENT-TYPE: text/xml; charset="utf-8"
DATE: Fri, 22 Feb 2019 17:53:38 GMT
EXT:
SERVER: Unspecified, UPnP/1.0, Unspecified
X-User-Agent: redsonic

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body>
<u:GetFirmwareVersionResponse xmlns:u="urn:Belkin:service:firmwareupdate:1">
<FirmwareVersion>FirmwareVersion:WeMo_WW_2.00.11057.PVT-OWRT-InsightV2|SkuNo:Plugin Device</FirmwareVersion>
</u:GetFirmwareVersionResponse>
</s:Body> </s:Envelope>

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

@wvu-r7 Will try to get this into pull request form this weekend!

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019

You rock! I appreciate it!

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019

We can do a Gem::Version check against 2.00.8643 and return CheckCode::Appears, then force the existing check to CheckCode::Detected.

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019
edited
Loading

Something like this:

metasploit-framework/modules/exploits/unix/webapp/jquery_file_upload.rb

Lines 78 to 115 in 3871e45

def check
a = nil
version_paths.each do |u|
vprint_status("Checking #{u}")
res = send_request_cgi(
'method' => 'GET',
'uri' => u
)
next unless res
unless a
res.headers['Server'] =~ /Apache\/([\d.]+)/ &&
$1 && (a = Gem::Version.new($1))
if a && a >= Gem::Version.new('2.3.9')
vprint_good("Found Apache #{a} (AllowOverride None may be set)")
elsif a
vprint_warning("Found Apache #{a} (AllowOverride All may be set)")
end
end
next unless res.code == 200 && (j = res.get_json_document) &&
j['version'] && (v = Gem::Version.new(j['version']))
if v <= Gem::Version.new('9.22.0')
vprint_good("Found unpatched jQuery File Upload #{v}")
return CheckCode::Appears
else
vprint_error("Found patched jQuery File Upload #{v}")
return CheckCode::Safe
end
end
CheckCode::Unknown
end

Or this:

metasploit-framework/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb

Lines 59 to 77 in 3871e45

# Vulnerable since 0.6.0 and patched in 0.7.6 and 0.8.4
def check_banner(ip, version)
version =~ /libssh[_-]?([\d.]*)$/ && $1 && (v = Gem::Version.new($1))
if v.nil?
vprint_error("#{ip}:#{rport} - #{version} does not appear to be libssh")
Exploit::CheckCode::Unknown
elsif v == Gem::Version.new('')
vprint_warning("#{ip}:#{rport} - libssh version not reported")
Exploit::CheckCode::Detected
elsif v.between?(Gem::Version.new('0.6.0'), Gem::Version.new('0.7.5')) ||
v.between?(Gem::Version.new('0.8.0'), Gem::Version.new('0.8.3'))
vprint_good("#{ip}:#{rport} - #{version} appears to be unpatched")
Exploit::CheckCode::Appears
else
vprint_error("#{ip}:#{rport} - #{version} appears to be patched")
Exploit::CheckCode::Safe
end
end

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019

I would LOVE to see UPnP library support in Metasploit, btw. That might be a fun "summer" project, perhaps for a GSoC student.

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

Yeah me too, because right now I'm patching miranda

@wvu wvu mentioned this issue Feb 22, 2019
Merged
@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

Value can also be found in /setup.xml in node root->device->firmwareVersion - that is probably what I will end up using to grab the device firmware version.

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019

The check method already grabs that file, so feel free to work off that!

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019
edited
Loading

Since we're working with XML, I think XPath will be the way to go:

metasploit-framework/modules/auxiliary/admin/wemo/crockpot.rb

Line 91 in 76724b4

unless res && res.code == 200 && (time = res.get_xml_document.at('//time'))

Regex is too brutish.

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

that will make my xml parsing sooooo much cleaner, thank you @wvu-r7

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

Hey @wvu-r7 sorry to bother you but I can't get the xpath functions (at, search, xpath) to retrieve any nodes from the XML graph. The xml data looks like this:

<?xml version="1.0"?>
<root xmlns="urn:Belkin:device-1-0">
  <specVersion>
    <major>1</major>
    <minor>0</minor>
  </specVersion>
  <device>
<deviceType>urn:Belkin:device:insight:1</deviceType>
<friendlyName>WeMo Insight upstairs 2</friendlyName>
    <manufacturer>Belkin International Inc.</manufacturer>
    <manufacturerURL>http://www.belkin.com</manufacturerURL>
    <modelDescription>Belkin Insight 1.0</modelDescription>
    <modelName>Insight</modelName>
    <modelNumber>1.0</modelNumber>
    <modelURL>http://www.belkin.com/plugin/</modelURL>
<serialNumber>231652K1200478</serialNumber>
<UDN>uuid:Insight-1_0-231652K1200478</UDN>
    <UPC>123456789</UPC>
<macAddress>149182B45F38</macAddress>
<firmwareVersion>WeMo_WW_2.00.11057.PVT-OWRT-InsightV2</firmwareVersion>
<iconVersion>0|49154</iconVersion>
<binaryState>0</binaryState>
    <iconList> 
      <icon> 
        <mimetype>jpg</mimetype> 
        <width>100</width> 
        <height>100</height> 
        <depth>100</depth> 
         <url>icon.jpg</url> 
      </icon> 
    </iconList>
    <serviceList>
      <service>
        <serviceType>urn:Belkin:service:WiFiSetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:WiFiSetup1</serviceId>
        <controlURL>/upnp/control/WiFiSetup1</controlURL>
        <eventSubURL>/upnp/event/WiFiSetup1</eventSubURL>
        <SCPDURL>/setupservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:timesync:1</serviceType>
        <serviceId>urn:Belkin:serviceId:timesync1</serviceId>
        <controlURL>/upnp/control/timesync1</controlURL>
        <eventSubURL>/upnp/event/timesync1</eventSubURL>
        <SCPDURL>/timesyncservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:basicevent:1</serviceType>
        <serviceId>urn:Belkin:serviceId:basicevent1</serviceId>
        <controlURL>/upnp/control/basicevent1</controlURL>
        <eventSubURL>/upnp/event/basicevent1</eventSubURL>
        <SCPDURL>/eventservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:firmwareupdate:1</serviceType>
        <serviceId>urn:Belkin:serviceId:firmwareupdate1</serviceId>
        <controlURL>/upnp/control/firmwareupdate1</controlURL>
        <eventSubURL>/upnp/event/firmwareupdate1</eventSubURL>
        <SCPDURL>/firmwareupdate.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:rules:1</serviceType>
        <serviceId>urn:Belkin:serviceId:rules1</serviceId>
        <controlURL>/upnp/control/rules1</controlURL>
        <eventSubURL>/upnp/event/rules1</eventSubURL>
        <SCPDURL>/rulesservice.xml</SCPDURL>
      </service>
	  
      <service>
        <serviceType>urn:Belkin:service:metainfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:metainfo1</serviceId>
        <controlURL>/upnp/control/metainfo1</controlURL>
        <eventSubURL>/upnp/event/metainfo1</eventSubURL>
        <SCPDURL>/metainfoservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:remoteaccess:1</serviceType>
        <serviceId>urn:Belkin:serviceId:remoteaccess1</serviceId>
        <controlURL>/upnp/control/remoteaccess1</controlURL>
        <eventSubURL>/upnp/event/remoteaccess1</eventSubURL>
        <SCPDURL>/remoteaccess.xml</SCPDURL>
      </service>
	   
      <service>
        <serviceType>urn:Belkin:service:deviceinfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:deviceinfo1</serviceId>
        <controlURL>/upnp/control/deviceinfo1</controlURL>
        <eventSubURL>/upnp/event/deviceinfo1</eventSubURL>
        <SCPDURL>/deviceinfoservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:insight:1</serviceType>
        <serviceId>urn:Belkin:serviceId:insight1</serviceId>
        <controlURL>/upnp/control/insight1</controlURL>
        <eventSubURL>/upnp/event/insight1</eventSubURL>
        <SCPDURL>/insightservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:smartsetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:smartsetup1</serviceId>
        <controlURL>/upnp/control/smartsetup1</controlURL>
        <eventSubURL>/upnp/event/smartsetup1</eventSubURL>
        <SCPDURL>/smartsetup.xml</SCPDURL>
      </service>
      
      <service>
        <serviceType>urn:Belkin:service:manufacture:1</serviceType>
        <serviceId>urn:Belkin:serviceId:manufacture1</serviceId>
        <controlURL>/upnp/control/manufacture1</controlURL>
        <eventSubURL>/upnp/event/manufacture1</eventSubURL>
        <SCPDURL>/manufacture.xml</SCPDURL>
      </service>

    </serviceList>
   <presentationURL>/pluginpres.html</presentationURL>
</device>
</root>

What am I missing here? I was able to parse this out successfully using REXML, but the code was ugggggggly

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

nevermind, looks like I dont even need to parse the XML to extract the version.

@nstarke
Copy link
Contributor

nstarke commented Feb 22, 2019

I created https://github.com/rapid7/metasploit-framework/pull/11463/files for this!

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019
edited
Loading

XPath example against the HTTP response object:

[1] pry(#<Msf::Modules::Exploit__Linux__Upnp__Belkin_wemo_upnp_exec::MetasploitModule>)> res = Rex::Proto::Http::Response.new
=> #<Rex::Proto::Http::Response:0x00007fad5bec91d0
 @auto_cl=true,
 @body="",
 @bufq="",
 @chunk_max_size=10,
 @chunk_min_size=1,
 @code=200,
 @count_100=0,
 @headers={},
 @inside_chunk=false,
 @message="OK",
 @proto="1.1",
 @state=1,
 @transfer_chunked=false>
[2] pry(#<Msf::Modules::Exploit__Linux__Upnp__Belkin_wemo_upnp_exec::MetasploitModule>)> res.body = File.read('setup.xml')
=> "<?xml version=\"1.0\"?>\n<root xmlns=\"urn:Belkin:device-1-0\">\n  <specVersion>\n    <major>1</major>\n    <minor>0</minor>\n  </specVersion>\n  <device>\n<deviceType>urn:Belkin:device:insight:1</deviceType>\n<friendlyName>WeMo Insight upstairs 2</friendlyName>\n    <manufacturer>Belkin International Inc.</manufacturer>\n    <manufacturerURL>http://www.belkin.com</manufacturerURL>\n    <modelDescription>Belkin Insight 1.0</modelDescription>\n    <modelName>Insight</modelName>\n    <modelNumber>1.0</modelNumber>\n    <modelURL>http://www.belkin.com/plugin/</modelURL>\n<serialNumber>231652K1200478</serialNumber>\n<UDN>uuid:Insight-1_0-231652K1200478</UDN>\n    <UPC>123456789</UPC>\n<macAddress>149182B45F38</macAddress>\n<firmwareVersion>WeMo_WW_2.00.11057.PVT-OWRT-InsightV2</firmwareVersion>\n<iconVersion>0|49154</iconVersion>\n<binaryState>0</binaryState>\n    <iconList> \n      <icon> \n        <mimetype>jpg</mimetype> \n        <width>100</width> \n        <height>100</height> \n        <depth>100</depth> \n         <url>icon.jpg</url> \n      </icon> \n    </iconList>\n    <serviceList>\n      <service>\n        <serviceType>urn:Belkin:service:WiFiSetup:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:WiFiSetup1</serviceId>\n        <controlURL>/upnp/control/WiFiSetup1</controlURL>\n        <eventSubURL>/upnp/event/WiFiSetup1</eventSubURL>\n        <SCPDURL>/setupservice.xml</SCPDURL>\n      </service>\n      <service>\n        <serviceType>urn:Belkin:service:timesync:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:timesync1</serviceId>\n        <controlURL>/upnp/control/timesync1</controlURL>\n        <eventSubURL>/upnp/event/timesync1</eventSubURL>\n        <SCPDURL>/timesyncservice.xml</SCPDURL>\n      </service>\n      <service>\n        <serviceType>urn:Belkin:service:basicevent:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:basicevent1</serviceId>\n        <controlURL>/upnp/control/basicevent1</controlURL>\n        <eventSubURL>/upnp/event/basicevent1</eventSubURL>\n        <SCPDURL>/eventservice.xml</SCPDURL>\n      </service>\n      <service>\n        <serviceType>urn:Belkin:service:firmwareupdate:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:firmwareupdate1</serviceId>\n        <controlURL>/upnp/control/firmwareupdate1</controlURL>\n        <eventSubURL>/upnp/event/firmwareupdate1</eventSubURL>\n        <SCPDURL>/firmwareupdate.xml</SCPDURL>\n      </service>\n      <service>\n        <serviceType>urn:Belkin:service:rules:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:rules1</serviceId>\n        <controlURL>/upnp/control/rules1</controlURL>\n        <eventSubURL>/upnp/event/rules1</eventSubURL>\n        <SCPDURL>/rulesservice.xml</SCPDURL>\n      </service>\n\t  \n      <service>\n        <serviceType>urn:Belkin:service:metainfo:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:metainfo1</serviceId>\n        <controlURL>/upnp/control/metainfo1</controlURL>\n        <eventSubURL>/upnp/event/metainfo1</eventSubURL>\n        <SCPDURL>/metainfoservice.xml</SCPDURL>\n      </service>\n\n      <service>\n        <serviceType>urn:Belkin:service:remoteaccess:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:remoteaccess1</serviceId>\n        <controlURL>/upnp/control/remoteaccess1</controlURL>\n        <eventSubURL>/upnp/event/remoteaccess1</eventSubURL>\n        <SCPDURL>/remoteaccess.xml</SCPDURL>\n      </service>\n\t   \n      <service>\n        <serviceType>urn:Belkin:service:deviceinfo:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:deviceinfo1</serviceId>\n        <controlURL>/upnp/control/deviceinfo1</controlURL>\n        <eventSubURL>/upnp/event/deviceinfo1</eventSubURL>\n        <SCPDURL>/deviceinfoservice.xml</SCPDURL>\n      </service>\n\n      <service>\n        <serviceType>urn:Belkin:service:insight:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:insight1</serviceId>\n        <controlURL>/upnp/control/insight1</controlURL>\n        <eventSubURL>/upnp/event/insight1</eventSubURL>\n        <SCPDURL>/insightservice.xml</SCPDURL>\n      </service>\n\n      <service>\n        <serviceType>urn:Belkin:service:smartsetup:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:smartsetup1</serviceId>\n        <controlURL>/upnp/control/smartsetup1</controlURL>\n        <eventSubURL>/upnp/event/smartsetup1</eventSubURL>\n        <SCPDURL>/smartsetup.xml</SCPDURL>\n      </service>\n      \n      <service>\n        <serviceType>urn:Belkin:service:manufacture:1</serviceType>\n        <serviceId>urn:Belkin:serviceId:manufacture1</serviceId>\n        <controlURL>/upnp/control/manufacture1</controlURL>\n        <eventSubURL>/upnp/event/manufacture1</eventSubURL>\n        <SCPDURL>/manufacture.xml</SCPDURL>\n      </service>\n\n    </serviceList>\n   <presentationURL>/pluginpres.html</presentationURL>\n</device>\n</root>\n"
[3] pry(#<Msf::Modules::Exploit__Linux__Upnp__Belkin_wemo_upnp_exec::MetasploitModule>)> res.get_xml_document.at('firmwareVersion').text
=> "WeMo_WW_2.00.11057.PVT-OWRT-InsightV2"
[4] pry(#<Msf::Modules::Exploit__Linux__Upnp__Belkin_wemo_upnp_exec::MetasploitModule>)>

@wvu
Copy link
Contributor Author

wvu commented Feb 22, 2019

#11463 is merged, so please rebase your work! Feel free to remove the TODO when you do, but please leave the NOCVE note where it is.

@nstarke nstarke mentioned this issue Feb 23, 2019
Merged
6 tasks
@wvu
Copy link
Contributor Author

wvu commented Feb 27, 2019

Unpatched Crock-Pot setup.xml:

<?xml version="1.0"?>
<root xmlns="urn:Belkin:device-1-0">
  <specVersion>
    <major>1</major>
    <minor>0</minor>
  </specVersion>
  <device>
<deviceType>urn:Belkin:device:crockpot:1</deviceType>
<friendlyName>Crock-Pot® Slow Cooker</friendlyName>
    <manufacturer>Belkin International Inc.</manufacturer>
    <manufacturerURL>http://www.belkin.com</manufacturerURL>
    <modelDescription>Belkin Plugin Socket 1.0</modelDescription>
    <modelName>Socket</modelName>
    <modelNumber>1.0</modelNumber>
    <modelURL>http://www.belkin.com/plugin/</modelURL>
<serialNumber>221733S00000B5</serialNumber>
<UDN>uuid:Crockpot-1_0-221733S00000B5</UDN>
    <UPC>123456789</UPC>
<macAddress>94103E61FC54</macAddress>
<firmwareVersion>WeMo_WW_2.00.6461.PVT</firmwareVersion>
<iconVersion>1|49152</iconVersion>
<binaryState>1</binaryState>
    <iconList> 
      <icon> 
        <mimetype>jpg</mimetype> 
        <width>100</width> 
        <height>100</height> 
        <depth>100</depth> 
         <url>icon.jpg</url> 
      </icon> 
    </iconList>
    <serviceList>
      <service>
        <serviceType>urn:Belkin:service:WiFiSetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:WiFiSetup1</serviceId>
        <controlURL>/upnp/control/WiFiSetup1</controlURL>
        <eventSubURL>/upnp/event/WiFiSetup1</eventSubURL>
        <SCPDURL>/setupservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:timesync:1</serviceType>
        <serviceId>urn:Belkin:serviceId:timesync1</serviceId>
        <controlURL>/upnp/control/timesync1</controlURL>
        <eventSubURL>/upnp/event/timesync1</eventSubURL>
        <SCPDURL>/timesyncservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:basicevent:1</serviceType>
        <serviceId>urn:Belkin:serviceId:basicevent1</serviceId>
        <controlURL>/upnp/control/basicevent1</controlURL>
        <eventSubURL>/upnp/event/basicevent1</eventSubURL>
        <SCPDURL>/eventservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:crockpotevent:1</serviceType>
        <serviceId>urn:Belkin:serviceId:crockpotevent1</serviceId>
        <controlURL>/upnp/control/crockpot1</controlURL>
        <eventSubURL>/upnp/event/crockpot1</eventSubURL>
        <SCPDURL>/jardenservice.xml</SCPDURL>
      </service>	
	<service>
        <serviceType>urn:Belkin:service:jardenevent:1</serviceType>
        <serviceId>urn:Belkin:serviceId:jardenevent1</serviceId>
        <controlURL>/upnp/control/jardenevent1</controlURL>
        <eventSubURL>/upnp/event/jardenevent1</eventSubURL>
        <SCPDURL>/jardenservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:firmwareupdate:1</serviceType>
        <serviceId>urn:Belkin:serviceId:firmwareupdate1</serviceId>
        <controlURL>/upnp/control/firmwareupdate1</controlURL>
        <eventSubURL>/upnp/event/firmwareupdate1</eventSubURL>
        <SCPDURL>/firmwareupdate.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:rules:1</serviceType>
        <serviceId>urn:Belkin:serviceId:rules1</serviceId>
        <controlURL>/upnp/control/rules1</controlURL>
        <eventSubURL>/upnp/event/rules1</eventSubURL>
        <SCPDURL>/rulesservice.xml</SCPDURL>
      </service>
	  
      <service>
        <serviceType>urn:Belkin:service:metainfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:metainfo1</serviceId>
        <controlURL>/upnp/control/metainfo1</controlURL>
        <eventSubURL>/upnp/event/metainfo1</eventSubURL>
        <SCPDURL>/metainfoservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:remoteaccess:1</serviceType>
        <serviceId>urn:Belkin:serviceId:remoteaccess1</serviceId>
        <controlURL>/upnp/control/remoteaccess1</controlURL>
        <eventSubURL>/upnp/event/remoteaccess1</eventSubURL>
        <SCPDURL>/remoteaccess.xml</SCPDURL>
      </service>
	   
      <service>
        <serviceType>urn:Belkin:service:deviceinfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:deviceinfo1</serviceId>
        <controlURL>/upnp/control/deviceinfo1</controlURL>
        <eventSubURL>/upnp/event/deviceinfo1</eventSubURL>
        <SCPDURL>/deviceinfoservice.xml</SCPDURL>
      </service>
	   
      <service>
        <serviceType>urn:Belkin:service:smartsetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:smartsetup1</serviceId>
        <controlURL>/upnp/control/smartsetup1</controlURL>
        <eventSubURL>/upnp/event/smartsetup1</eventSubURL>
        <SCPDURL>/smartsetup.xml</SCPDURL>
      </service>
	
      <service>
        <serviceType>urn:Belkin:service:manufacture:1</serviceType>
        <serviceId>urn:Belkin:serviceId:manufacture1</serviceId>
        <controlURL>/upnp/control/manufacture1</controlURL>
        <eventSubURL>/upnp/event/manufacture1</eventSubURL>
        <SCPDURL>/manufacture.xml</SCPDURL>
      </service>

    </serviceList>
   <presentationURL>/pluginpres.html</presentationURL>
</device>
</root>

Patched Switch setup.xml:

<?xml version="1.0"?>
<root xmlns="urn:Belkin:device-1-0">
  <specVersion>
    <major>1</major>
    <minor>0</minor>
  </specVersion>
  <device>
<deviceType>urn:Belkin:device:controllee:1</deviceType>
<friendlyName>living room lights</friendlyName>
    <manufacturer>Belkin International Inc.</manufacturer>
    <manufacturerURL>http://www.belkin.com</manufacturerURL>
    <modelDescription>Belkin Plugin Socket 1.0</modelDescription>
<modelName>Socket</modelName>
    <modelNumber>1.0</modelNumber>
<hwVersion>v2</hwVersion>
    <modelURL>http://www.belkin.com/plugin/</modelURL>
<serialNumber>221739K0107021</serialNumber>
<UDN>uuid:Socket-1_0-221739K0107021</UDN>
    <UPC>123456789</UPC>
<macAddress>58EF68F439C8</macAddress>
<hkSetupCode>507-67-282</hkSetupCode>
<firmwareVersion>WeMo_WW_2.00.11143.PVT-OWRT-SNSV2</firmwareVersion>
<iconVersion>1|49152</iconVersion>
<binaryState>0</binaryState>
    <iconList>
      <icon>
        <mimetype>jpg</mimetype>
        <width>100</width>
        <height>100</height>
        <depth>100</depth>
         <url>icon.jpg</url>
      </icon>
    </iconList>
    <serviceList>
      <service>
        <serviceType>urn:Belkin:service:WiFiSetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:WiFiSetup1</serviceId>
        <controlURL>/upnp/control/WiFiSetup1</controlURL>
        <eventSubURL>/upnp/event/WiFiSetup1</eventSubURL>
        <SCPDURL>/setupservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:timesync:1</serviceType>
        <serviceId>urn:Belkin:serviceId:timesync1</serviceId>
        <controlURL>/upnp/control/timesync1</controlURL>
        <eventSubURL>/upnp/event/timesync1</eventSubURL>
        <SCPDURL>/timesyncservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:basicevent:1</serviceType>
        <serviceId>urn:Belkin:serviceId:basicevent1</serviceId>
        <controlURL>/upnp/control/basicevent1</controlURL>
        <eventSubURL>/upnp/event/basicevent1</eventSubURL>
        <SCPDURL>/eventservice.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:firmwareupdate:1</serviceType>
        <serviceId>urn:Belkin:serviceId:firmwareupdate1</serviceId>
        <controlURL>/upnp/control/firmwareupdate1</controlURL>
        <eventSubURL>/upnp/event/firmwareupdate1</eventSubURL>
        <SCPDURL>/firmwareupdate.xml</SCPDURL>
      </service>
      <service>
        <serviceType>urn:Belkin:service:rules:1</serviceType>
        <serviceId>urn:Belkin:serviceId:rules1</serviceId>
        <controlURL>/upnp/control/rules1</controlURL>
        <eventSubURL>/upnp/event/rules1</eventSubURL>
        <SCPDURL>/rulesservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:metainfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:metainfo1</serviceId>
        <controlURL>/upnp/control/metainfo1</controlURL>
        <eventSubURL>/upnp/event/metainfo1</eventSubURL>
        <SCPDURL>/metainfoservice.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:remoteaccess:1</serviceType>
        <serviceId>urn:Belkin:serviceId:remoteaccess1</serviceId>
        <controlURL>/upnp/control/remoteaccess1</controlURL>
        <eventSubURL>/upnp/event/remoteaccess1</eventSubURL>
        <SCPDURL>/remoteaccess.xml</SCPDURL>
      </service>

      <service>
        <serviceType>urn:Belkin:service:deviceinfo:1</serviceType>
        <serviceId>urn:Belkin:serviceId:deviceinfo1</serviceId>
        <controlURL>/upnp/control/deviceinfo1</controlURL>
        <eventSubURL>/upnp/event/deviceinfo1</eventSubURL>
        <SCPDURL>/deviceinfoservice.xml</SCPDURL>
      </service>
	   
      <service>
        <serviceType>urn:Belkin:service:smartsetup:1</serviceType>
        <serviceId>urn:Belkin:serviceId:smartsetup1</serviceId>
        <controlURL>/upnp/control/smartsetup1</controlURL>
        <eventSubURL>/upnp/event/smartsetup1</eventSubURL>
        <SCPDURL>/smartsetup.xml</SCPDURL>
      </service>
	
      <service>
        <serviceType>urn:Belkin:service:manufacture:1</serviceType>
        <serviceId>urn:Belkin:serviceId:manufacture1</serviceId>
        <controlURL>/upnp/control/manufacture1</controlURL>
        <eventSubURL>/upnp/event/manufacture1</eventSubURL>
        <SCPDURL>/manufacture.xml</SCPDURL>
      </service>

    </serviceList>
   <presentationURL>/pluginpres.html</presentationURL>
</device>
</root>

@wvu wvu closed this as completed in #11464 Mar 5, 2019
@wvu wvu changed the title Improve check methods in Belkin Wemo UPnP RCE and Crock-Pot remote control Improve check method in Belkin Wemo UPnP RCE Mar 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wvu wvu

Labels
enhancement module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add firmware version checking to Wemo exploit nstarke/metasploit-framework
2 participants
@nstarke @wvu