Credentials leaks in Legrand-003598 / Bticino-F454 SCS Web Gateway

[sxpert <sxpert () sxpert org>]

1. OVERVIEW

Credential leaks lead to complete compromise of home automation
system

2. BACKGROUND

The 2 devices are identical, and act as an IP gateway between
the SCS home automation bus, and an IP network.
The devices uses https for the web-front, and is also open on
port 20000 with an semi open protocol that allows controlling
everything at the owner's location.

3. VULNERABILITY DESCRIPTION

A file

https://[ip address of device]/TiWeb.xml

is directly accessible without requiring credential requests of
any sort, that contains plaintext login and passwords to the device
these credentials are all that's needed to reprogram the entire home
automation system, access video cameras in the installation, control
the burglar alarm, and more.

4. VERSIONS AFFECTED

Firmare 1.00.26

5. PROOF-OF-CONCEPT/EXPLOIT

just head to the url on an affected device. you can find those devices
by searching google for 'top_right_bticino' (and probably 
'top_right_legrand')

6. SOLUTION

upgrade to version 1.00.32 available

http://www.myopen-legrandgroup.com/devices/gateways/m/f454_-_003598/38439.aspx

7. VENDOR

Legrand Group

8. CREDIT

This vulnerability was found by Raphaël Jacquot, an independant 
security researcher

9. DISCLOSURE TIME-LINE

2012-07-23: Vendor Notified
2012-10-02: Vendor published non-vulnerable firmare 1.00.32
2012-10-17: Vulnerability disclosed

Best regards,

Raphaël Jacquot

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/