Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Belkin Wemo UPnP RCE (tested on Crock-Pot) #11409

Merged
merged 4 commits into from Feb 19, 2019

Conversation

Projects
None yet
4 participants
@wvu-r7
Copy link
Contributor

wvu-r7 commented Feb 15, 2019

Version fragmentation frequently means that consumers are buying vulnerable IoT devices even if vulnerabilities have been disclosed and patched.

This is precisely what happened to us when we bought a new Wemo-enabled Crock-Pot from Amazon.

Through fuzzing and community research, we discovered that the Crock-Pot we purchased is vulnerable to a command injection vulnerability in its UPnP implementation... that was discovered by @phikshun in 2014 and patched by Belkin in 2015.

Consumers buying new IoT devices should be aware that their new devices aren't necessarily running new software. Patch early and patch often!

msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > info

       Name: Belkin Wemo UPnP Remote Code Execution
     Module: exploit/linux/upnp/belkin_wemo_upnp_exec
   Platform: Unix, Linux
       Arch: cmd, mipsle
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2014-04-04

Provided by:
  phikshun
  wvu <wvu@metasploit.com>

Module side effects:
 artifacts-on-disk

Module stability:
 crash-safe

Available targets:
  Id  Name
  --  ----
  0   Unix In-Memory
  1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target address range or CIDR identifier
  RPORT    49152            yes       The target port (TCP)
  SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT  8080             yes       The local port to listen on.
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                   no        The URI to use for this exploit (default is random)
  VHOST                     no        HTTP server virtual host

Payload information:

Description:
  This module exploits a command injection in the Belkin Wemo UPnP API
  via the SmartDevURL argument to the SetSmartDevInfo action. This
  module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
  devices are known to be affected, albeit on a different RPORT
  (49153).

References:
  CVE: Not available
  https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/
  https://github.com/phikshun/ufuzz
  https://gist.github.com/phikshun/10900566
  https://gist.github.com/phikshun/9984624
  https://www.crock-pot.com/wemo-landing-page.html
  https://www.belkin.com/us/support-article?articleNum=101177
  http://www.wemo.com/

msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) >

Thank you to @phikshun for the original research and UFuzz, which a friend and I hope to maintain and use in continued work!

See #10731 for the Crock-Pot remote control.

@wvu-r7 wvu-r7 marked this pull request as ready for review Feb 19, 2019

@wvu-r7 wvu-r7 changed the title [WIP] Add Belkin Wemo UPnP RCE (tested on Crock-Pot) Add Belkin Wemo UPnP RCE (tested on Crock-Pot) Feb 19, 2019

wvu-r7 added some commits Feb 19, 2019

Revert ARCH_CMD payload to cmd/unix/generic
There is no telnetd, so cmd/unix/bind_busybox_telnetd won't work.

@wchen-r7 wchen-r7 self-assigned this Feb 19, 2019

@wchen-r7 wchen-r7 merged commit 0c8b260 into rapid7:master Feb 19, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wchen-r7 added a commit that referenced this pull request Feb 19, 2019

msjenkins-r7 added a commit that referenced this pull request Feb 19, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 19, 2019

Release Notes

The linux/upnp/belkin_wemo_upnp_exec exploit module has been added to the framework. This exploits a command injection in the Belkin WeMo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. It has been tested on a WeMo-enabled Crock-Pot, but other WeMo devices are known to be affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.