{"id":95437,"date":"2019-05-30T09:50:39","date_gmt":"2019-05-30T16:50:39","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=95437"},"modified":"2025-06-02T20:59:48","modified_gmt":"2025-06-03T03:59:48","slug":"mr-coffee-with-wemo-double-roast","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mr-coffee-with-wemo-double-roast\/","title":{"rendered":"Mr. Coffee with WeMo: Double Roast"},"content":{"rendered":"

McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog<\/a> to catch up with the processes and techniques I used to investigate and ultimately compromise this smart coffee maker. While researching the device, there was always one attack vector that I had wanted to revisit. It was during the writing of that blog that I was finally able to circle back to it. As it turns out, my intuition was accurate; the second vulnerability I found was much simpler and still allowed me to gain root access to the target.<\/p>\n

Recapping the original vulnerability<\/strong><\/h2>\n

The first vulnerability modified the \u201ctemplate\u201d section of the brew schedule rule file, which a is unique file that is sent when the user schedules a brew in advance. I also needed to modify the template itself, sent from the WeMo App directly to the coffee maker. During that research I noticed that many of the other fields could be impactful but did not investigate them as thoroughly as the template field.<\/p>\n

\"\"<\/p>\n

Figure 1: Brew schedule rule<\/em><\/p>\n

When the user schedules a brew, an individual rule is added to the Mr. Coffee root crontab. The crontab entry uses the rule\u2019s \u201cid\u201d field to make sure the correct rule is executed at the desired time.<\/p>\n

\"\"<\/p>\n

Figure 2: Root crontab entry<\/em><\/p>\n

Crontab allows for basic scheduling features from the OS level. The user provides both the command to execute as well as timing details down to the minute, as shown in Figure 3.<\/p>\n

\"\"<\/p>\n

Figure 3: Crontab syntax<\/em><\/p>\n

During the initial research, I started to fuzz the rule id field; however, because every rule name that I placed in the malicious schedule was always prepended by the \u201c\/sbin\/rtng_run_rule\u201d, I could not get anything abnormal to happen. I also noticed that a lot of characters that could be useful for command injection were being filtered.<\/p>\n

The following is a list of characters sanitized or filtered on input.<\/p>\n

\"\"<\/p>\n

At this point I moved on and ended up finding the template vulnerability as laid out in the previous blog<\/a>.<\/p>\n

Finding an even more simple vulnerability<\/strong><\/h2>\n

A few months after disclosing to Belkin, I revisited the steps to achieve this template abuse feature, in preparation for a public disclosure blog. Having the ability to write arbitrary code directly into the root\u2019s crontab is enticing, so I began looking into it again. I needed to find a way to terminate the \u201crtng_run_rule\u201d and add my own commands to the crontab file by modifying the \u201cid\u201d field. The \u201crtng_run_rule\u201d file is a shell script that directly calls a Lua script named \u201crtng_run_rule.lua\u201d. I noticed that I could send the double pipe \u201c||\u201d character but the \u201crtng_run_rule\u201d wrapper script would never return a failing return code. Next, I looked at the how the wrapper script is handling command line arguments as shown below.<\/p>\n

\"\"<\/p>\n

Figure 4: rtng_run_rule wrapper script<\/em><\/p>\n

At this point I created a new rule: \u201c-f|| touch test\u201d. The \u201c-f\u201d is not a parsed argument, meaning it will take the \u201cBad option\u201d case, causing the \u201crtng_run_rule\u201d wrapper script to return \u201c-1\u201d. With the wrapper script returning a failing return code, the \u201c||\u201d (or) statement is initiated, which executes \u201ctouch test\u201d and creates an empty file named \u201ctest\u201d. Since I still had serial access (I explain in detail in my previous blog how I achieved this) I was able to log in to the coffee maker and find where the \u201ctest\u201d file was located. I found it in root\u2019s home directory.<\/p>\n

Being able to write arbitrary files and execute commands without the \u201c\/\u201d character is still somewhat limiting, as most file paths and web URLs will need forward slashes. I needed to find a way to execute commands that had \u201c\/\u201d characters in them. I decided to do this by downloading a file from a webserver I control and executing it in Ash to bypass file path sanitization characters.<\/p>\n

\"\"<\/p>\n

Figure 5: Commands allowing for execution of filtered characters.<\/em><\/p>\n

Let me break this down. The \u201c-f\u201d as indicated before will cause the wrapper script to execute the \u201c||\u201d command. Then the \u201cwget\u201d command will initiate a download from my web server, located at IP address \u201c172.16.127.31.\u201d The \u201c-q\u201d will force wget to only print what it receives, and the \u201c-O -\u201c tells wget to print to STDOUT instead of a file. Finally, the \u201c| ash\u201d command grabs all the output from STDOUT and executes it as Linux shell commands.<\/p>\n

This way I can set up a server that simply returns a file containing necessary Linux commands and host it on my local machine. When I send the rule with the above command injection it will reach out to my local server and execute everything as root. The technique of piping wget into Ash also bypasses all the character filtering so I can now execute any command I want.<\/p>\n

Status with Vendor<\/strong><\/h2>\n

Belkin did patch the original template vulnerability and released new firmware. The vulnerability explained in this blog was found on the new firmware and, as of today, we have not heard of any plans for a patch. This vulnerability was disclosed to Belkin on February 25th<\/sup>, 2019. In accordance with our vulnerability disclosure policy<\/a>, we are releasing details of this flaw today in hopes of alerting consumers of the device of the ongoing security findings. While this bug is also within the Mr. Coffee with WeMo\u2019s scheduling function, it is much easier for an attacker to leverage since it does not require any modifications to templates or rehashing of code changes.The following demo video shows how this vulnerability can be used to compromise other devices on the network, including a fully patched Windows 10 PC.<\/p>\n