0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CUJO Firewall User Enumeration / Authorization Bypass Vulnerabilities
Despite CUJO Firewall is a cute device and quite challenging to break from hardware hacking point of view... the APIs (which are just a click away, once bypassed pinning and apk's obfuscation) suffer of authorization bypass issues. An attacker could easily enumerate all existing users, and for each of them, create a new 24/7 schedule that will be automatically enabled and will automatically pause internet. Which will end up into a DoS attack by denying internet access to all devices under CUJOas aprotectiona. Nonetheless, a malicious user could also delete all existing schedules for all CUJO's customers. *Vendor Description:* aCUJO is an intelligent firewall which aims to protect your connected home from online threats. From desktops to mobiles, tablets to smart TVs, CUJO monitors all network activity to keep you safe from harm. Once set up, CUJO <https://www.getcujo.com/> acts as a gateway between your devices and the outside world. It checks devices as they connect to your network, analyzes packets as they leave and arrive, looks for attempts to access malware command-and-control servers and tests for man-in-the-middle attacks. Threats are blocked automatically, although you can also see and control some of what's happening via iOS and Android apps. CUJO is much more than a simple hardware firewall. A lot of its processing is carried out in the cloud, where it analyzes metadata from your network connections, checks for problems and instructs your device to block any threats. This reduces the load on CUJO's own processor, and makes it easier for the system to detect brand-new dangers. Simple device-level parental controls are thrown in as a bonus, allowing you to block access to websites by type. There is no need to install software on the clients, everything is managed from CUJO and its apps.a from https://www.techradar.com/reviews/cujo [image: image.png] *Operational Overview & Prologue:* CUJO solution is composed of three different entities: - *CUJO Mobile App: *Obfuscated APK/IPA with Certificate Pinning, used to register and configure the CUJO Firewall. - *CUJO Firewall:* a physical device based on Octeon MIPS CPU** with dual gigabit ethernet NICs. - *CUJO Cloud: *server side infrastructure that acts as relay for all communications between the app and the device itself. [image: image.png] For each CUJOas account, multiple profiles can be created. And each profile may contain multiple schedules.The schedules can define: - When it will take effect (e.g. hourly, daily, only on certain days, etc.) - A specific rule (e.g. blocking websites categories, a specific list of domains, etc.) - If pausing internet or not (e.g. blocking all traffic) *Proof of Concept:* The following APIs lack of proper authorization checks: - GET /schedules?profileId=xxxxxxx - POST /schedules - PUT /schedules/yyyyyyyy - DELETE /schedules/zzzzzzz Which means that any CUJO customer could conduct the following malicious activities: - Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration. - Remote Arbitrary Users' Schedules Creation. - Remote Arbitrary Users' Schedules Deletion. *See Video PoC for a Detailed Explanation: https://www.youtube.com/watch?v=sjwAdNZotpg <https://www.youtube.com/watch?v=sjwAdNZotpg>* *Worst Case Scenario:* A malicious user could enumerate all existing users, and for each of them, create a new 24/7 schedule that will be automatically enabled and will automatically pause internet. Which will end up into a DoS attack by denying internet access to all devices under CUJOas aprotectiona. Nonetheless, a malicious user could also delete all existing schedules for all CUJO's customers. *Some Stats:* Meanwhile I was there... I tried enumerating with intruder around 100.000 Profiles in order to have an idea of CUJO's customers lifestyles... here some funny ones (click on the image to enlarge). <https://3.bp.blogspot.com/-5b9Dqkwm1nU/XE9wUHBHycI/AAAAAAAAAAQ/ihgyto1M6nkD-BKb9mbJ-MP2_iXJNX0FQCLcBGAs/s1600/schedules_1_REDACTED.png> Nonetheless, I wanted to have a feeling of how many CUJOs Firewall are out there activated that could be impacted by the API vulnerabilities above... and since a customer could have multiple profiles per each CUJO... I had to sort unique some data... and voila': 7011 CUJOs out there (at least). <https://4.bp.blogspot.com/-sdPtgQKClTw/XE9wREz9I-I/AAAAAAAAAAU/LEY-gV5V9VQCpjmbDnqLqJ1ZTh7lnhI3wCEwYBhgL/s1600/Unique_enumerated_CUJOs.JPG> *Vendor Contact Timeline:* *2019-01-28 - 11:00 UTC:* Vendor is notified through email to CEO & Support. With a 90 hours deadline before Full-Disclosure. *2019-01-28 - 15:00 UTC:* CEO confirms the vulnerability and confirms has been deployed a hotfix in PROD. *2019-01-29:* Recheck & Public Release of Security Advisory. # 0day.today [2024-12-25] #