CVE-2023-33768 PoC — Belkin Wemo Smart Plug WSP080 数据伪造问题漏洞

Source

https://github.com/purseclab/CVE-2023-33768

Associated Vulnerability

Title:Belkin Wemo Smart Plug WSP080 数据伪造问题漏洞 (CVE-2023-33768)
Description:Belkin Wemo Smart Plug WSP080是美国贝尔金（Belkin）公司的一个智能插头。 Belkin Wemo Smart Plug WSP080 v1.2版本存在安全漏洞，该漏洞源于设备固件更新过程中固件签名验证不正确，允许攻击者通过精心设计的固件文件造成拒绝服务(DoS)。

Description

DoS against Belkin smart plugs via crafted firmware injection

Readme

# CVE-2023-33768
[Description]
Incorrect signature verification of the firmware during the Device
Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows
attackers to cause a Denial of Service (DoS) via a crafted firmware
file.

 

 [Additional Information]
 When updating the firmware of the Wemo smart plug via its mobile application, we found that if firmware signature of the smart plug firmware binary is invalid it can cause the Wemo smart plug to stop responding (become bricked).

 We exploit the Wemo Android App (com.belkin.wemoandroid) to inject modified firmware into the Wemo Smart Plug.
 The original firmware is located at:
 http://app.xbcs.net/firmware/Wemo-RTOS/715-f30e070f6/WEMO_WW_4.00.20111600.PVT-RTOS-SNSV4_tz.bin.enc.
 We change this URL in the Wemo App by injecting code in the onResponse method of the Android Volley library.
 We change the URL that points to a binary in which we modified one byte.
 Specifically we modify the binary in the following way:
 @00124C90 (4th line at end of firmware file)
 A3 E0 49 D5 changed to A3 E0 50 D5.

 We confirm the modified firmware is sent to the device by intercepting the network traffic to the smart plug.
 After the modified firmware is received by the Smart Plug the plug stops responding and cannot be reset or detected by the mobile application.

 

 [Vulnerability Type]
 Denial of Service

 

 [Vendor of Product]
 Belkin

 

 [Affected Product Code Base]
 Wemo Smart Plug WSP080 - Wemo Android App (com.belkin.wemoandroid) (1.2)

 

 [Affected Component]
 http://app.xbcs.net/firmware/Wemo-RTOS/715-f30e070f6/WEMO_WW_4.00.20111600.PVT-RTOS-SNSV4_tz.bin.enc

 

 [Attack Type]
 Remote

 

 [Attack Vectors]
 This attack can be performed by just modifying at least one byte of the firmware binary at any point during the delivery of the firmware binary to the Smart Plug.
 This can be done when firmware is downloaded to the mobile device or the MQTT server or when it is in trasition on any of the networks.


# Steps
1. Host the [crafted_firmware_tz.bin.enc](crafted_firmware_tz.bin.enc) file on a web server.
2. Replace the original firmware URL (http://34.135.183.171/wemo/WEMO_WW_4.00.20111600.PVT-RTOS-SNSV4_tz.bin.enc) in [brickDevice.py](brickDevice.py) with the URL of the hosted file.
3. Pair the Wemo Smart Plug with the Wemo App.
4. Run the [brickDevice.py](brickDevice.py) script.
5. The Wemo Smart Plug will stop responding and cannot be reset or detected by the mobile application.

# Publication
https://www.computer.org/csdl/proceedings-article/eurosp/2023/651200b047/1OFthXNYuRy
https://research.utwente.nl/en/publications/aot-attack-on-things-a-security-analysis-of-iot-firmware-updates

File Snapshot


 [4.0K]  /data/pocs/0e4de9b4ebaaf40fce897f73195b50cd56ebc500
├── [1.3K]  brickDevice.py
├── [1.9K]  com.belkin.wemoandroid.js
├── [1.1M]  crafted_firmware_tz.bin.enc
└── [2.6K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!