search

lumapu / ahoy

Various tools, examples, and documentation for communicating with Hoymiles microinverters
https://ahoydtu.de
Other
947 stars 222 forks source link

[Bug] Unauthorized Reboot #1158

Open panic2k opened 1 year ago

panic2k commented 1 year ago

Platform

ESP8266

Assembly

I did the assebly by myself

nRF24L01+ Module

nRF24L01+ plus

Antenna

external antenna

Power Stabilization

nothing

Connection picture

Version

0.7.36

Github Hash

ba218edbdb1b0a168e0c721bc2259fcc97c57f8a

Build & Flash Method

AhoyDTU Webinstaller

Setup

This DTU monitors 3 inverters, sometimes it freezes so i wanted to add some crometab

Debug Serial Log output

No response

Error description

Unauthorized Reboot is possible

curl 'http://192.168.XXX.XXX/reboot' --compressed -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: de,en-US;q=0.7,en;q=0.3' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.XXX.XXX' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache'

No cookie stuff needed - easy - but..... hmmmm......

lumapu commented 1 year ago

is your installation protected by a password? You mention that you are able to call /reboot without any authentification?

MetaChuh commented 1 year ago

@lumapu was always like this. calling dtu_ip/reboot always triggers a reboot, regardless of the protection mask.

some of us use this hack to reboot the dtu if the api is stuck at delivering „null“ instead of a json, so if you change anything ask the others first … if you don‘t get any response, it‘s ok.

lumapu commented 1 year ago

ok got your point, the security risk is low about that. In general: Ahoy isn't secure by itself. I will wait for response by others

MetaChuh commented 1 year ago

@panic2k good eyes and thanks for sharing. as long as you don‘t expose your dtu to the web, or at least geo protect your port forwarding or reverse proxy, it will be little of concern for now.

panic2k commented 1 year ago

My DTU is certainly protected against unauthorized changes with password. In local network, I would actually not have to worry about it - but if someone wants remote access without homeassistant, it could be used at least for denial of service. I thought it was a little unusual. Just wanted to mention this - risk is for sure low

lumapu commented 1 year ago

thank you for reporting, I leave it open for a while, maybe someone has an idea to solve this with a small implementation