Improper Input Validation on dbell Smart Doorbell Can Lead To Attackers Remotely Unlocking Door 07 Oct 2019

CVE Number: CVE-2019-13336

Foreword

Before I get into this writeup, I’d like to thank Tamir Israel from the CIPPIC for helping me with legal issues regarding this disclosure and the EFF for referring me to him.

This vulnerability allows any user to launch commands with no authentication verification through the doorbell’s web server. More specifically, if there is a lock connected to the relay switch on the doorbell, you can unlock the door locally on the network or remotely if it is exposed to the internet. Multiple email exchanges took place between me and dbell. This vulnerability remains unpatched.

Details

After connecting the doorbell to my network, I started with a simple nmap port scan.

After going to port 81 in my browser, it led me to a GoAhead web server login request.

I tried the default password which is listed on the back of the doorbell (admin:blank) and was given this interface.

There were many cases of hardcoded credentials throughout the source code on the doorbell’s webserver.

But I was mostly interested in this commented out URL..

This looked to me as a gateway to reverse engineer the source code and call any of the functions.

Looking through the functions I discovered one that unlocks the door. For some background info, there is a small relay switch on the back of the doorbell. This switch can plug into a door lock, which can allow you unlock the door for a guest remotely.

Upon entering this URL with your doorbell’s IP address into your browser, the doorbell lets out a “door is unlocked” voice message and will unlock the door for you.

hxxp://xxx.xxx.xxx.xxx:81/openlock.cgi?loginuse=admin&loginpass=888888

To make matters even worse, I accidentally discovered that those credentials don’t even matter. You can put absolutely whatever you want as the username and password values and it will execute.

hxxp://xxx.xxx.xxx.xxx:81/openlock.cgi?loginuse=?????&loginpass=?????

It is not limited to opening the lock either, any “.cgi” function that is on the webserver can be executed without it properly validating the input.

Below is a POC video of the doorbell performing the unlocking function.

Timeline