############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Homeputer CL Studio für HomeMatic # Vendor: Contronics # CSNC ID: CSNC-2017-031 # CVE ID: CVE-2017-17691 # Subject: Incorrect Access Control # Risk: High # Effect: Remotely exploitable # Author: Thierry Viaccoz # Date: 19.06.2018 # ############################################################# Introduction: ------------- Homeputer CL Studio für HomeMatic [1,2,3] is a home automation system by Contronics. The home automation system allows enabling or disabling security sensors, setting the heating, opening or closing roller blinds or switching on or off lights amongst others. For the users' convenience, the system can be controlled remotely with the aforementioned desktop client or with a smartphone application. Compass Security discovered an incorrectly designed access control used for the administration interface, allowing an attacker to gain full access to the system. Affected: --------- Vulnerable: * Version 4.0, Rel 160808 No other version was tested, but it is believed for the older versions to be also vulnerable. According to the vendor, the vulnerability has been addressed in the most recent version. Technical Description: ---------------------- When opening Homeputer CL Studio für HomeMatic and connecting to the server by using the IP and port, the server will respond and prompt the user to provide the configured username and password. An analysis of the client-server communication showed that during the initial connection request, the server would return the username and password in cleartext to the client, allowing the client to perform the username and password check on the client-side. Besides, the observed behaviour also reveals that the username and password are stored in plain text on the server-side since the server can return them in clear. Moreover, the communication to the server is unencrypted. A remote attacker can therefore sniff the traffic and capture the packets containing the credentials. Afterwards, he can log in and has full access to the home automation system. Below is a capture of the said initial request sent to the server and of the server's response using Wireshark: Request: ======== POST /RPC2 HTTP/1.1 User-Agent: XMLRPC++ 0.7 Host: [CUT: Client IP address]:2110 Content-Type: text/xml Content-length: 196 comexecengine 1001[CUT: Server IP address];3100 ========= Response: ========= HTTP/1.1 200 OK Server: XMLRPC++ 0.7 Content-Type: text/xml Content-length: 257 2;3;[CUT: Instance name];07.09.2017 / 09:24:16;44;4.0 / 160808@USR:1#User=[CUT: Username];[CUT: Password];Uebersicht:1&# ========= Workaround / Fix: ----------------- The login process of the application has to be fixed in order not to send the username and password to the initiating party. The credentials have to be checked on server-side instead. In addition to that, the credentials should be stored as salted hashes instead. Finally, the communication to the server has to be encrypted e.g. using TLS. Timeline: --------- 2018-06-19: Public disclosure date 2018-06-14: Vendor confirms that the vulnerability has been addressed 2018-02-08: Initial vendor response 2017-12-15: Initial vendor notification 2017-12-15: Assigned CVE-2017-17691 2017-09-07: Discovery by Thierry Viaccoz References: ----------- [1] https://www.contronics.de/html/CLFHZLightupdate.html [2] https://www.contronics.de/fileadmin/download/homeputerCLBeschreibung.pdf [3] https://www.contronics.de/download/InsthomeputerCLStudio.exe