Old School Home Automation

While the home automation is steadily moving towards embedded devices (the so-called Internet of Things), it wasn’t always this way.  In fact, two of the more popular home automation applications run on Windows.  They’re clunky Visual Basic apps with outdated web interfaces, but they still have a following due to their broad protocol and device support.

The first platform I examined was HAL2000.  This is a VB app that uses the Dart web server to provide the user access to the FoxPro database backend, and middleware for controlling the various home automation sensors and controllers.  As you can see, it’s pretty sexy:

hal2000

Okay, not so sexy.  Still HAL2000 is very feature complete though, and sells for only $249.  You can also buy a HAL2000 appliance for a mere $2499.

HAL2000 has many issues.  A quick scan yielded 23 XSS vulnerabilities, and it’s also vulnerable to CSRF.  I also found a probable SQL injection issue, but I have no idea who to exploit SQLi in Visual Foxpro, so that’s tentative.  You can also download database files and logs with direct browsing, such as /WHAT.DBF or /log/DART24012014.log, so there’s really no need to exploit SQLi.  Still, nothing really that interesting.

I almost gave up scanning, then decided to do some manual testing.  HAL2000 has a login form and authenticated sessions are maintained with the DartSession cookie which normally contains a GUID looking value.  As it turns out, if you set this cookie to DartSession=1, it just works.  I have no idea why, but we’ll call that a win.

Second up to bat is HomeSeer.  It’s a VB.NET app with a web front end, and the middleware seems to be implemented as ActiveX controls.  It also sells for $249.

homeseer

HomeSeer HS3 is pretty bad, security wise.  It uses HTTP basic auth, and the default username is “default”.  Authentication is not enabled by default.  Even if it is, it should be fairly simply to brute force the “default” account.

The list of vulns is a who’s who of web exploitation:

Directory traversal:
GET /..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini

XSS:
GET /EventLog4ad93<script>alert(1)<%2fscript>988899b0c82

CSRF, XSF

File system browser at GET /test

Stored XSS:
Setup -> Custom -> Custom Page Title
(Executed on every page load)

And finally, remote code execution.  If you navigate to Tools->Control Panel, you’ll see a dialog for a script command.  One of the scripting commands is hs.Launch, which as the name implies, will launch an executable.  I’ve taken the liberty of packaging this up into a Metasploit module which works with Windows 7 and higher (it uses powershell).  You could exploit this on Windows XP easily too though.

I hope you enjoyed this journey into old school home automation software.  In future posts, we’ll look at new school home automation and a lot more.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s