Zero Science Lab » Sint Wind PI v01.26.19 Authentication Bypass

Sint Wind PI v01.26.19 Authentication Bypass

Title: Sint Wind PI v01.26.19 Authentication Bypass
Advisory ID: ZSL-2018-5472
Type: Local/Remote
Impact: Security Bypass, System Access
Risk: (5/5)
Release Date: 05.06.2018

Summary

A Meteo Station software for Raspberry PI. Capability include telephone answering, webcams, digital cameras, web. A Sint Wind is a wind condition (and other meteo data) telephone answering machine. This implementation uses a Raspberry PI with an Huawei 3G dongle. The Sint Wind is compatible with different kind of Meteo Sensors (WH1080, WH3080, Davis, TX32, BMP085...).

Description

Insecure Direct Object Reference flaw allows retrieval of configuration file which contains authentication credentials to device and other nodes associated with it. The web application does not check for an authenticated session to access its resources allowing direct access to swpi.cfg (config file) which contains credentials.

Vendor

Tonino Tarsi - https://github.com/ToninoTarsi/swpi

Affected Version

01.26.19

Tested On

SimpleHTTP/0.6 Python/2.7.3
Raspberry PI

Vendor Status

[28.05.2018] Vulnerability discovered.
[29.05.2018] Vendor contacted with details sent.
[29.05.2018] Vendor replies: "You can just push request on the official report".
[05.06.2018] Public security advisory released.

PoC

sintwind_auth.txt

Credits

Vulnerability discovered by Humberto Cabrera - <humbe@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2018060047
[2] https://packetstormsecurity.com/files/148049
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/144472

Changelog

[05.06.2018] - Initial release
[13.06.2018] - Added reference [1], [2] and [3]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk