4/19/2023 0 Comments Loxone support![]() The encryption key is suspected to be the same for all Loxone Config Software will immediately decrypt the passwords and keep them unencrypted in Has published his configuration at the discussion forum) the Loxone Config of any Loxone partner or other end user who VBoxManage debugvm $vmname dumpguestcore -filename dump (VirtualBox) and using the following command to gain access to the memory: It has been verified by installing Loxone Config in a virtual environment This vulnerability can be easily verified when dumping the memory of theĪttacker's system which every local attacker has access to if he wants to gainĪccess to passwords of his Loxone partner or other configuration files Occur although the password has been correctly entered in the web interface,Ī reboot is necessary in order to make the web interface work again.ĥ) Decrypted Loxone config passwords in memory afterwards connection reset/unreachable errors or login errors It is not possibleĪnymore to control the smart home as the web interface does not work properlyĪnymore, e.g. During this attack, nothingĬan be controlled anymore (no switch of the demo case worked):įurthermore, the following HTTP request (sometimes it is necessary to send it aįew times) renders the web interface itself unusable. The attack is stopped (it will reboot afterwards). ![]() Running the following command will keep the miniserver in a non-responsive stateĪfter a few seconds (depending on the bandwidth) and it will not recover until The payload uses double-encoded values in order to bypass the Prompted), which will show a popup message and turn on the LED light of the ![]() To reproduce this behavior it is sufficient to open the following URL as anĪuthenticated user (or social engineer the victim to enter the credentials when Of the Loxone miniserver device and trick a user into sending username/passwordģ) Reflected cross-site scripting (XSS) vulnerability phishingĮmail or discussion forum) will for example be able to re-create the login page (combined XSS attack) that generates a popup as an example: The following URL demonstrates this issue and injects some HTML/JavaScript code Inject arbitrary HTML/JavaScript code (Response splitting / Header injection). Is possible to inject new headers or manipulate the response body in order to Any payload within the URL will be added to the realm. ![]() The WWW-Authenticate header is not properly sanitized and uses the URI for the _not_ authenticated which will be most of the time in regular use cases. The following payload only works by accessing the web interface when a user is SEC Consult Vulnerability Lab Security Advisory Ģ) HTTP Response Splitting / Header injection ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |