Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Belkin Wemo UPnP RCE (tested on Crock-Pot) #11409

Merged
merged 4 commits into from
Feb 19, 2019
Merged

Add Belkin Wemo UPnP RCE (tested on Crock-Pot) #11409

merged 4 commits into from
Feb 19, 2019

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Feb 15, 2019
edited
Loading

Version fragmentation frequently means that consumers are buying vulnerable IoT devices even if vulnerabilities have been disclosed and patched.

This is precisely what happened to us when we bought a new Wemo-enabled Crock-Pot from Amazon.

Through fuzzing and community research, we discovered that the Crock-Pot we purchased is vulnerable to a command injection vulnerability in its UPnP implementation... that was discovered by @phikshun in 2014 and patched by Belkin in 2015.

Consumers buying new IoT devices should be aware that their new devices aren't necessarily running new software. Patch early and patch often!

msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > info

       Name: Belkin Wemo UPnP Remote Code Execution
     Module: exploit/linux/upnp/belkin_wemo_upnp_exec
   Platform: Unix, Linux
       Arch: cmd, mipsle
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2014-04-04

Provided by:
  phikshun
  wvu <wvu@metasploit.com>

Module side effects:
 artifacts-on-disk

Module stability:
 crash-safe

Available targets:
  Id  Name
  --  ----
  0   Unix In-Memory
  1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target address range or CIDR identifier
  RPORT    49152            yes       The target port (TCP)
  SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT  8080             yes       The local port to listen on.
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                   no        The URI to use for this exploit (default is random)
  VHOST                     no        HTTP server virtual host

Payload information:

Description:
  This module exploits a command injection in the Belkin Wemo UPnP API
  via the SmartDevURL argument to the SetSmartDevInfo action. This
  module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
  devices are known to be affected, albeit on a different RPORT
  (49153).

References:
  CVE: Not available
  https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/
  https://github.com/phikshun/ufuzz
  https://gist.github.com/phikshun/10900566
  https://gist.github.com/phikshun/9984624
  https://www.crock-pot.com/wemo-landing-page.html
  https://www.belkin.com/us/support-article?articleNum=101177
  http://www.wemo.com/

msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) >

Thank you to @phikshun for the original research and UFuzz, which a friend and I hope to maintain and use in continued work!

See #10731 for the Crock-Pot remote control.

@wvu wvu marked this pull request as ready for review February 19, 2019 16:48
@wvu wvu changed the title [WIP] Add Belkin Wemo UPnP RCE (tested on Crock-Pot) Add Belkin Wemo UPnP RCE (tested on Crock-Pot) Feb 19, 2019
@wvu
Genericize exploit (less Crock-Pot verbiage)
bad53ae
@wvu
Revert ARCH_CMD payload to cmd/unix/generic
0c8b260 
There is no telnetd, so cmd/unix/bind_busybox_telnetd won't work.
@wchen-r7 wchen-r7 self-assigned this Feb 19, 2019
@wchen-r7 wchen-r7 merged commit 0c8b260 into rapid7:master Feb 19, 2019
wchen-r7 added a commit that referenced this pull request Feb 19, 2019
@wchen-r7
Land #11409, Add Belkin Wemo UPnP RCE
661e78b
msjenkins-r7 pushed a commit that referenced this pull request Feb 19, 2019
@wchen-r7 @msjenkins-r7
Land #11409, Add Belkin Wemo UPnP RCE
74a4c79
@wchen-r7
Copy link
Contributor

wchen-r7 commented Feb 19, 2019
edited by gdavidson-r7
Loading

Release Notes

The linux/upnp/belkin_wemo_upnp_exec exploit module has been added to the framework. This exploits a command injection in the Belkin WeMo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. It has been tested on a WeMo-enabled Crock-Pot, but other WeMo devices are known to be affected.

@wvu wvu deleted the feature/crockpot branch February 19, 2019 19:57
This was referenced Feb 22, 2019
Closed
Closed
Merged
@nstarke nstarke mentioned this pull request Feb 27, 2019
Merged
6 tasks
@wvu wvu mentioned this pull request Apr 4, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

Assignees

@wchen-r7 wchen-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wvu @wchen-r7 @bcoles @gdavidson-r7