Last updated at Wed, 03 Jan 2024 19:17:03 GMT

Rapid7公司. (Rapid7)发现Genie公司生产的阿拉丁连接改装套件车库门开启器和Android移动应用存在漏洞. 受影响的产品包括:

  • Aladdin Garage door smart retrofit kit, Model ALDCM
  • Android Mobile application ALADDIN Connect, Version 5.65楼2075

Rapid7最初于2023年8月22日向the Genie company的母公司Overhead Door报告了这些问题. 从那时起, 我们的研究团队成员与供应商一起讨论了影响, 决议, 和 a coordinated response for these vulnerabilities.

产品描述

阿拉丁连接车库门开启器(Retrofit-kit)是一种智能物联网解决方案,可以升级标准电动车库门,以支持远程访问和使用移动应用程序打开和关闭车库门的智能技术.

信贷

精灵阿拉丁连接改装车库门开启器和移动应用程序的漏洞是由Deral海兰德发现的, Principal 物联网 研究er at Rapid7. They are being disclosed in accordance with Rapid7’s vulnerability disclosure policy after coordination with the vendor.

供应商声明

信任ed for generations by millions of homeowners, The Genie 公司 is committed to security, 和 we collaborate with valued researchers, 例如Rapid7, to respond to 和 resolve vulnerabilities on behalf of our customers.

开发和补救

本节详细介绍了利用的可能性,以及我们对Rapid7发现和报告的问题的补救指导, so that defenders of this technology can gauge the impact of, 以及缓解措施, 适当地处理这些问题.

Android Application Insecure Storage (CVE-2023-5879) - FIXED

While examining the Android mobile application, 阿拉丁连接, 一般安全问题, Rapid7发现用户的密码以明文形式存储在以下文件中:

  • / /数据/ com.精灵company.AladdinConnect/shared_prefs/com.精灵.gdocntl.MainActivity.xml

通过注销和重新启动设备来测试该数据的持久性. 通常注销和重新启动移动设备会导致数据从设备中清除. In this case neither the file, nor its contents, were purged. Figure 2 is copy of file content after logout 和 reboot:

Figure 2: Clear text Stored User Credentials

剥削

An attacker with physical access to the user’s smartphone (i.e., 通过丢失或被盗的手机), would be able to potentially extract this critical data, 允许访问用户的服务帐户来控制车库开门器.

修复

To mitigate this vulnerability, users should 设置密码pin码 on the mobile devices to restrict access.

供应商补充说明

此漏洞与生物识别功能(触摸或面部识别)有关。.

Mitigation: Update to the latest app upgrade available in the play store. 应用程序版本v5.73

通过广播SSID名称(CVE-2023-5880)将跨站点脚本(XSS)注入阿拉丁连接车库门开启器(retrofitkit)配置设置web服务器控制台

When the Aladdin connect device is placed into Wi-Fi configuration mode, 配置设备的用户界面容易受到通过广播SSID名称(包含HTML和/或JavaScript)进行XSS注入的攻击.

剥削

这种通过SSID注入方法的跨站攻击可以通过运行基于软件的Wi-Fi接入点来广播HTML或JavaScript作为SSID名称,例如:

An example of this is shown in Figure 3, using airbase-ng to broadcast the HTML 和 or JavaScript code:

Figure 3: SSID Name Injection Method

In the example found in Figure 4, 在阿拉丁基本单元Wi-Fi配置页面上,从上述SSID名称触发一个简单的警报框. 此外,图4右侧的图像显示了交付给最终用户的实际web页面源. No user interaction is needed to trigger this, they only need to view the web page during configuration mode.

Figure 4: XSS Injection using SSID Injection Method

也, a denial of service (DoS) of the Wi-Fi configuration page can be accomplished by just broadcasting an SSID containing preventing the web page from being used to configure the device's setup. This corrupted web page is shown in Figure 5:

Figure 5: Corrupted Wi-Fi Configuration Page

修复

To mitigate this vulnerability, 用户应该避免运行安装程序,如果任何奇怪的名称的ssid正在广播在一般附近, 例如名称中包含HTML标记语言和/或JavaScript代码的ssid.

此外,一般情况下,移动应用程序可用于设置和配置车库门开启器. 这将避免与易受攻击的“车库门控制设置”配置页面的任何直接交互.

Additional Notes from the Vendor

This is a very low-impact vulnerability with minimal risk. 只有当主人将设备置于wifi配置模式一段有限的时间内,入侵者在2小时内操作时,才会发生这种情况.4 GHz b和 distance range during that limited configuration period.  如果发生错误配置,设备将不会受到影响,并且完全能够从错误配置中恢复. 设备不能使用错误配置的SSID操作,因为设备只能由所有者使用移动应用程序声明. 移动应用程序中没有漏洞,这是批准的设备配置模式.

Mitigation: Use mobile app to configure the device.

允许未经身份验证的访问“车库门控制模块设置”页面的web界面(CVE-2023-5881) -修复

此漏洞允许具有网络访问权限的用户连接到Aladdin connect设备web服务器的“车库门控制模块设置”网页,并在不进行身份验证的情况下更改车库门连接的WIFI SSID设置.

剥削

该设备允许未经身份验证访问TCP端口80上的车库门控制模块设置配置页面, 这使得任何有网络访问权限的人都可以重新配置Wi-Fi设置,而不会受到身份验证的挑战. A sample of this access to the configuration web page is shown in Figure 6:

Figure 6: Unauthenticated Configuration 服务 Access Port 80

修复

防止剥削, 用户只能将阿拉丁车库门智能改装套件连接到他们拥有和控制的网络上. 也, 不应允许从任何其他网络来源(如Internet)访问此网络.

Additional Notes from the Vendor

This is a very low-impact vulnerability with minimal risk. 只有当入侵者访问与改装套件相同的本地网络(使用相同的网络路由器)时,才会发生这种情况。, so the attack vector is limited to local. This web interface is not accessible from the internet. The device cannot be operated with a misconfigured SSID, 因为该设备只能通过其所有者使用的移动应用程序来认领.

Mitigation: Update the Retrofit device to the latest software version, 14.1.1. Fix was automatically updated on all online devices as of December 2023. 请联系客服确认您的设备是否有更新.

Authenticated user access to others users data via service API - FIXED

通过身份验证的用户可以通过使用与自己不同的设备ID查询以下API来获得对其他用户数据的未经授权的访问.

  • http://pxdqkls7aj.execute-api.us-east-1.amazonaws.com/Android/devices/879267

下面是使用这种方法的潜在可见数据的示例字段:

Figure 1: Enumeration of User Data

Additional Notes from the Vendor

在我们的内部渗透测试检测到这个问题后,这个问题立即得到了解决. This happened because of a recent software update. The fix was applied to the API on 07/25/2023.

缓解:没有