security: RCE for ikea_tradfri calls

mariusmotea / diyHue

Philips Hue emulator that is able to control multiple types of lights

Other

627 stars 107 forks source link

security: RCE for ikea_tradfri calls #383

Closed lian closed 5 years ago

lian commented 6 years ago

just a heads up, was briefly looking over the code:

user controls payload["5851"] (bri) value and can escape the shell call https://github.com/mariusmotea/diyHue/blob/b2885e65326df4a7b9f82f46cef36e642b450d28/BridgeEmulator/HueEmulator3.py#L606

user controls get_parameters values and can escape the shell call https://github.com/mariusmotea/diyHue/blob/b2885e65326df4a7b9f82f46cef36e642b450d28/BridgeEmulator/HueEmulator3.py#L1081

ghost commented 6 years ago

@lian do you have a way to fix this? If so could you submit a PR?

ghost commented 6 years ago

@mariusmotea are you worried about this? Do you have a fix? It doesn't seem like @lian can help explain/fix the bug further. Close this?

mariusmotea commented 6 years ago

I don't understand exactly where is the problem, i believe the security concern is because i execute shell commands with the password, but anyway a person with access to host can get the sensitive data from configuration file. I will close this now.

lian commented 6 years ago

its a remote code execution. any machine on the same network can take over the machine running diyHue.

https://docs.python.org/3/library/shlex.html#shlex.quote

ghost commented 6 years ago

@mariusmotea It looks like there is a fix in the link @lian posted. This is something, I think, that needs fixing soon!

ghost commented 6 years ago

Perhaps the fix is something like this?

check_output("./coap-client-linux -m put -u \"" + bridge_config["lights_address"][light]["identity"] + "\" -k \"" + bridge_config["lights_address"][light]["preshared_key"] + "\" -e '{ \"3311\": [" + json.dumps(quote(payload)) + "] }' \"" + url + "\"", shell=True)

Though I don't have a Tradfri system to test this with

lian commented 6 years ago

you need to quote every argument that can contain user supplied values.

i'm not a python guy, but something like this:

json_payload = '{ "3311": [' + json.dumps(payload) + '] }'

check_output(
  "./coap-client-linux -m put -u " + 
  quote(bridge_config["lights_address"][light]["identity"]) +
  " -k " + 
  quote(bridge_config["lights_address"][light]["preshared_key"])
  " -e " + 
  quote(json_payload) + 
  " " + 
  quote(url)
  ,
  shell=True
)

ghost commented 6 years ago

Ah yes I see what you mean now! What do you think @mariusmotea?

mariusmotea commented 6 years ago

But \" that we currently use is not the same like quote(something) ?

lian commented 6 years ago

\" is the insecure version of quote() which an attacker can easily break out of.

ghost commented 5 years ago

@mariusmotea was this ever fixed in the new repo?

Also, can you set this repo to archived (read-only) so that new issues are only made in the new repo?

mariusmotea commented 5 years ago

I don't know exactly how to fix this and for me this is not the kind of security issue that can be a concern for this project.

ghost commented 5 years ago

Ok well, in that case, ill close this and create something in the todo project board so it can be picked up in the future if required.