The contents of this repository were produced by Abdullah Ansari during his time at WithSecure. All contents are licensed to WithSecure as described in the attached license file within this repository.
Welcome to the ๐คฆโโ๏ธ megafeis-palm ๐คฆโโ๏ธ repository. This repo contains proof-of-concept (PoC) code for vulnerabilities I discovered in the DBD+ mobile companion app (Archive) (<=1.4.4) during my internship at WithSecure. The app was designed to control MEGAFEIS-branded smart locks sold on Amazon (Archive), which included model numbers:
These PoCs were tested and proven effective on all of the aforementioned smart lock models.
If you have any feedback or encounter any issues, feel free to reach out or create an issue.
- CVE-2022-45636 - Insecure Authorization Scheme for API Requests in DBD+ Mobile Companion Application for Megafeis Smart Locks
- CVE-2022-45637 - Insecure Password Reset Code Expiry Mechanism for Megafeis Smart Locks
- CVE-2022-45634 - Username Disclosure Vulnerability in DBD+ Application Used by Megafeis Smart Locks
- CVE-2022-45635 - Insecure Password Policy & Lack of Rate Limiting on Megafeis Smart Lock API Server
| Date | Summary |
|---|---|
| 2022-08-05 | 1st Vendor Outreach |
| 2022-08-23 | 2nd Attempt at Vendor Outreach |
| 2022-11-16 | MITRE notified; CVE IDs requested |
| 2023-01-31 | CVEs Assigned |
| 2023-03-03 | Advisories Published |
If you encounter any issues, please raise them here in this repository. Before that however, be sure that nothing mentioned below is causing your error.
- Please make sure that you have cloned the entire repo before executing any individual exploits.
- There is an error in your arguments. Please see the example commands before execution.
- You must be connected to the internet!
- You are using non-US phone numbers in the PoC script for CVE-2022-45637.
- The back-end HTTP API has been patched by MEGAFEIS.
When contributing to this repository, please discuss the changes you wish to make via issue or email.
This project is only for educational purposes. Any mischief conducted with this project is the user's own responsibility. I hereby forfeit responsibility for any illegal actions.
Reverse engineering the DBD+ application to figure out how the signing keys for back-end API requests were being generated was incredibly frustrating and tedious as a first timer. Without the encouragement and guidance of Ken Gannon, one of my many brilliant mentors at WithSecure, I probably wouldn't have been able to crack the code.
I'd also like to give many thanks to Ben Berkowitz and Adam Pilkey for playing a major role in the disclosure of these vulnerabilities and the publishing of my research well after my internship concluded.
Technical Analysis:
Advisories:
Research Bulletin:
Author - Abdullah Ansari
Contact Info - Email
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent