Gardyn 4 Remote Code Execution Vulnerability via Insecure Azure IoTHub Connection String Transmission

A vulnerability in Gardyn 4 allows remote attackers to execute arbitrary code by exploiting an insecure transmission of the Azure IoTHub connection string. The issue arises because the connection string is downloaded every 30 seconds from a specified server using unencrypted HTTP. This vulnerability can be exploited through a man-in-the-middle attack, where an attacker intercepts and modifies the connection string to point to an IoTHub under their control. Once the device connects to the attacker's IoTHub, the attacker can use the IoTHub API to send management commands that execute arbitrary code on the device.

Impact

Exploitation of this vulnerability leads to unauthorized remote access and control over the affected device, allowing for the execution of arbitrary code. This could result in a complete takeover of the device, with potential further implications for other devices on the same local area network.

Reproduction

To reproduce this vulnerability, first, observe the insecure HTTP request from the Gardyn device to the Azure server. Then, create an Azure IoTHub account and set up a device using the existing device ID and shared access key. After that, redirect the Gardyn device to your IoTHub by poisoning DNS requests to the Azure server, which will allow the device to check in with the attacker's IoTHub. Once the device has connected, access can be gained through the IoTHub API, either by using the 'run_cli' command to execute shell commands or by injecting commands into the 'upgrade' command, which is vulnerable to command injection.