KLF 200 instability discussion

[apeeters]

Hi,

While using this library on Node.js it works fine (within the limits of the KLF 200 firmware). However, while running in a browser I got errors parsing the JSON result of the /auth call. Further investigation showed that the resulting JSON was indeed invalid. It turned out to be reproducible using curl:

$ curl -d '{"action":"login","params":{"password":"<passwd>"}}' -H "Content-Type: application/json" -X POST http://<ip>/api/v1/auth

Results in:

)]}', {"token":"<base64 string>","result":true,"deviceStatus":"IDLE","data":{},"errors":[]}

Note the preamble before the actual JSON. Have you seen similar behaviour?

Thanks, Adriaan

[Julius2342]

I experienced the same problem with my KLF 200. Thats why i sanitize every json response in my Python wrapper[0].

I do not even want to know what is broken inside. It looks like broken internal buffer handling - which is in many cases exploitable. KLF has pretty poor security propositions if you look here [1]. I contacted Velux and they did not even understand the problem. m-(

[0] https://github.com/Julius2342/pyvlx/blob/master/pyvlx/interface.py#L126 [1] https://gist.github.com/Julius2342/6282ded9f527e762ea50f42c2c439a1a

[apeeters]

Thanks for the feedback. I found the workaround in this code as well:

https://github.com/MiSchroe/klf-200-api/blob/master/src/connection.js#L126

[apeeters]

The problem running in a browser seems to be caused by res.setEncoding not being available.

[MiSchroe]

@apeeters, can you provide some simple demo code for the browser, please? Would help me a lot to fix this.