CVE-2013-4863
published 2020-01-28CVE-2013-4863: The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.18%
95.6th percentile
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micasaverde | veralite_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandos.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")↗
- →Detect unauthenticated RunLua SOAP action requests to port 49451 on path /upnp/control/hag — the core unauthenticated RCE vector for CVE-2013-4863 ↗
- →Alert on HTTP POST requests containing the SOAPACTION header value 'urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua' targeting port 49451 ↗
- →Detect reverse shell patterns in Lua code payloads: mkfifo combined with nc (netcat) piped through /bin/sh, delivered via SOAP RunLua action ↗
- →Use Nessus plugin 93911 to actively test for the VeraLite UPnP RunLua vulnerability ↗
- ·The exploit chain combining CVE-2013-4863 with CVE-2016-6255 (arbitrary file write in libupnp 1.6.6) enables WAN-side exploitation via a crafted webpage visited by a LAN user, extending the attack surface beyond the local network ↗
- ·The authenticated variant of the vulnerability uses the path /port_49451/upnp/control/hag (proxied through the web interface), while the unauthenticated variant targets port 49451 directly at /upnp/control/hag ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fxg9-9cmj-2228: The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1
ghsa_unreviewed·2022-05-05
CVE-2013-4863 [HIGH] GHSA-fxg9-9cmj-2228: The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.
VulnCheck
micasaverde veralite_firmware Improper Authentication
vulncheck·2013·CVSS 8.8
CVE-2013-4863 [HIGH] micasaverde veralite_firmware Improper Authentication
micasaverde veralite_firmware Improper Authentication
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.
Affected: micasaverde veralite_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
Exploit PoC: https://vulncheck.com/xdb/527893ef5ba2
No detection rules found.
Exploit-DB
MiCasaVerde VeraLite - Remote Code Execution
exploitdb·2016-10-20·CVSS 8.8
CVE-2013-4863 [HIGH] MiCasaVerde VeraLite - Remote Code Execution
MiCasaVerde VeraLite - Remote Code Execution
---
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware
1. Description
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
2. Proof of Concept
/**
* POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
* libupnp then the page will be written. Once the request has
* completed, we attempt to load it in an iframe in order to bypass
* same origin policy. If the page is loaded into the iframe then
* it will make a soap action request with the ac
Exploit-DB
MiCasaVerde VeraLite 1.5.408 - Multiple Vulnerabilities
exploitdb·2013-08-02·CVSS 6.5
CVE-2013-4865 [MEDIUM] MiCasaVerde VeraLite 1.5.408 - Multiple Vulnerabilities
MiCasaVerde VeraLite 1.5.408 - Multiple Vulnerabilities
---
Trustwave SpiderLabs Security Advisory TWSL2013-019:
Multiple Vulnerabilities in MiCasaVerde VeraLite
Published: 08/01/13
Version: 1.0
Vendor: MiCasaVerde (http://www.micasaverde.com/)
Product: VeraLite
Version affected: 1.5.408
Product description:
The MiCasaVerde VeraLite is the budget model from MiCasaVerde, a product
which centralizes control over home automation devices such as door locks,
window blinds, security cameras, smoke detectors, HVAC systems, lights,
etc.
Finding 1: Path Traversal
*****Credit: Daniel Crowley of Trustwave SpiderLabs
CVE: CVE-2013-4861
CWE: CWE-23
The VeraLite has a path traversal vulnerability allowing for disclosure of
arbitrary files. This allows an attacker to retrieve the contents of any
f
Tenable
Do You Know Where Your UPnP Is?
blogs_tenable·2016-10-20
Do You Know Where Your UPnP Is?
Blog /
Subscribe
# Do You Know Where Your UPnP Is?
Jacob Baines
October 20, 2016
9 Min Read
Much has been said about the security of Universal Plugin and Play (UPnP) over the years. There have been FBI warnings, security researchers have published papers, and even Forbes has told us to disable UPnP. But how do you know if UPnP servers are on your network? Are there specific services we should worry about? Do we really need to be concerned about UPnP?
### Finding UPnP services
To answer some of these questions, Tenable wrote a simple Python script called upnp_info.py. You can find it on our GitHub. The script finds all UPnP services and enumerates their functionality. Check out the README for full details.
Some of you may be thinking, “I don’t need that script. I know I disabled UPn
Tenable
Do You Know Where Your UPnP Is?
blogs_tenable·2016-10-20
Do You Know Where Your UPnP Is?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlhttp://www.exploit-db.com/exploits/27286https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txthttp://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlhttp://www.exploit-db.com/exploits/27286https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt
2020-01-28
Published
Exploited in the wild