Friday, May 13, 2022

MCK-Lock predictable rolling codes design flaw (CVE-2022-30111)

The keyspace of rolling codes for MCK Lock is predictable. It is vulnerable to replay attacks. 

The methods to test:

1) Capture the unlock code with HackRF from the genuine MCK remote keyfob.

2) Replay the captured code, it will unlock the lock within 10 - 20 times attempts.

The POC Demo:

https://www.youtube.com/watch?v=EruaGuE-cWI



Tuesday, January 4, 2022

Honda-Civic Keyfob system affected by Counter resynchronization attack (CVE-2021-46145)

Capture in advance and replay after attack successfully tested on Honda-Civic 2012. However, it will only work once, due to Honda Civic has applied the mechanism of the rolling code to prevent replay attacks such as this.


After each key was pressed, the rolling codes synchronizing counter increased. But the keyfob receiver will accept a sliding window of codes, to avoid accidental key pressing by design.
By replaying the previously eavesdropped Lock/Unlock commands in a special sequence to the Honda-Civic, it will be resynchronizing the counter. Once the counter resynced, commands from the previous cycle of the counter can be replayed again.

Since it’s only successfully tested on Honda-Civic 2012, How many others may also have been affected by this vulnerability remain unknown.






Monday, January 18, 2021

KACO XP100U HMI Credential Leak Vulnerability

Date: 2021-01-18

Author: Kevin2600

CVE:  CVE-2021-3252

Version: XP-JAVA 2.0

Vendor:  https://kaco-newenergy.com


Attack Vector: 

The correct credentials will be returned in plain-text from the local server, during the authentication process. Regardless of whatever the passwords have been provided.   


Reproduce Steps:

1: Sniffing the authentication process of XP100U by using Wireshark or TCPDump.



2: A request “aci_request_code type=’int’>31<” is sent by XP100U Client.

3: By reversing the java application, we can found that code 31 is used for GET_PASSWORD. And the funny part is this request actually send to the local server.



4: And regardless of whatever the passwords have been provided. The correct credentials will always be returned in PLAIN-TEXT. 


Impact-Level:

From search engine Shodan. Currently, around 172 devices exposed to the public on the Internet.


Vendor Response: 

The Vendor KACO has been contacted. However no response from them :(


Reference:

https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01

Wednesday, October 14, 2020

Audi A7 2014 MMI Mishandles the Format-string Specifiers

Date: 2020-10-13

Author: Kevin2600

CVE: CVE-2020-27524

Version:  Audi A7 2014 MMI

Vendorhttps://www.audi.com/en.html


Attack-Vector: 

There is an improper format strings specifiers handling bug on Audi A7 2014 MMI Infotainment system. Simply rename the Mobile's Bluetooth name to "%x%x%x%x%x" or other specifiers. It will cause MMI memory leaks or even crash the service. 


Reproduce-Steps:

1) Rename Phone's Bluetooth name to "%x%x%x%x%x" 

2) Connect to the Audi's MMI IVI as normal through Bluetooth connection. 

3) Start the Multimedia player and listen to music. In general, the Music source name will appear as normal. 


But if we set the name as format string specifiers. The Music source name will be leaking memory content instead. And some specifiers will even crash the services.


Vendor response:

The Vendor Audi has been contacted on Oct 14th, but they replied this issue does not concern them. Indeed, the bug alone doesn't seem to anything useful yet, but since CVE-2017-9212 BMW 330i 2011 and CVE-2020-16142 Mercedes-Benz AMG they all have such issue. Maybe we can start testing those German vehicles. You never know ;)


Tuesday, October 13, 2020

Solstice-Pod - Critical Unauthenticated Remote DoS Vulnerability 

Date: 2020-09-30 

Author: Kevin2600

CVE: CVE-2020-27523

Version: Gen2i-Pod (5.0.2)

Vendor:

https://documentation.mersive.com/content/home.htm

https://documentation.mersive.com/content/topics/general-gen2i-pod-specs.htm


Attack-Vector:

When users try to connect to the Solstice-Pod, the correct screen key is needed in order to authenticate the user. Even appears to be only digit number can be accepted for the screen key. But we can still inject format-string specifiers like %x”, And this will cause Solstice-Pod to reboot, which lead to a DoS attack.

Reproduce-Steps:

1: Connect to Solstice-Pod with browser for screen sharing. It asks to input the screen key.

2: Using BurpSuite to intercept the access URL path and replace the screen key value with format-string specifiers like %x”. 




3: The Solstices-Pod will be reboot immediately, Screen went blank and restart takes about 20-30 seconds. 


Impact-Level:

According to Search engine ZoomEye, Shodan, and FoFa. Currently, more than 17,117 Solstice-pods exposed to the public on the Internet. And because this is an Unauthenticated Remote DoS Vulnerability, the impact is critical


Vendor response:

1) The Vendor Mersive has been contacted on SEPT 28th

2) The full detail and video demo have been sent based on Mersive requested on OCT 8th

3) Mersive replied on OCT 15th, their Dev team is currently investigating the bug. They are able to confirm and generate a fix for this. It will be in the 5.2 release.