CVE-2022-27805
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
abode systems, inc. iota All-In-One Security Kit 6.9X
abode systems, inc. iota All-In-One Security Kit 6.9Z
iota All-In-One Security Kit - https://goabode.com/product/iota-security-kit
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-284 - Improper Access Control
The iota All-In-One Security Kit is a home security gateway containing an HD camera, infrared motion detection sensor, Ethernet, WiFi and Cellular connectivity. The iota gateway orchestrates communications between sensors (cameras, door and window alarms, motion detectors, etc.) distributed on the LAN and the Abode cloud. Users of the iota can communicate with the device through mobile application or web application.
The iota can be controlled remotely by the owner or authorized user via a mobile application or a web application. When this is done, requests are initially sent via HTTPS to Abode Systems, Inc. where they are checked for authentication and authorization before the request is then proxied to the target device via an XMPP channel established during the start-up of the /root/hpgw binary. This XMPP connection is initiated by the device, protected from man-in-the-middle style attacks by TLS certificate validation. A review of the available commands that can be transmitted over this XMPP channel turned up no commands that contain authentication material within them. Any command received over this XMPP connection is assumed to be authentic and trustworthy, with trust inherited from the security of the XMPP connection. These commands are referred to within the application as ‘XCMDs’, so we will adopt that terminology for this report.
There is a service listening locally on UDP/55050 that allows for submission of XCMDs, referred to in logs as GHOME. This service receives XCMDs and dispatches them to the same function which handles trusted XMCDs received over the XMPP connection.
An unauthenticated attacker who can communicate to UDP/55050 can transmit an XCMD which will be handled, without any authorization checks, in the same manner as an XCMD received via the trusted XMPP connection. As of version 6.9Z there are 222 different XCMDs, including all of those features which are available to the user via the mobile or web applications, as well as several others that do not appear to map to any functionality of the applications.
Several of these XCMDs have immediate negative security impacts: There are XCMDs which allow for arming and disarming the system, reading and writing sensitive configuration values, rebooting the device, enabling the local web interface, changing the local web interface’s administrative account username and password and many others.
2022-07-13 - Initial Vendor Contact
2022-07-14 - Vendor Disclosure
2022-09-26 - Vendor Patch Release
2022-10-20 - Public Release
Discovered by Matt Wiseman of Cisco Talos.