Gardyn 4 Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Gardyn 4 due to insecure transmission of the Azure IoTHub connection string. The device downloads this string every 30 seconds from a specified server using unencrypted HTTP, allowing attackers to intercept and modify the connection string to their own IoTHub. Once connected, attackers can execute arbitrary code by exploiting the IoTHub API's direct management command capabilities. Notably, the 'run_cli' command can be used to execute shell commands, while the 'upgrade' command is vulnerable to command injection.

Impact

Exploitation of this vulnerability allows for remote system-level access to the Gardyn device, with a complete loss of confidentiality, integrity, and availability. This access can be used to gain an initial foothold in a local area network, potentially leading to further attacks.

Reproduction

To reproduce this vulnerability, first, observe the insecure HTTP request from the Gardyn device to the Azure server. After that, create an Azure IoTHub account and set up a device using the existing device ID and shared access key. Next, redirect the Gardyn device to your IoTHub by poisoning the DNS requests to the Azure server. Once the device checks in with your IoTHub, it can be taken over. Access can be gained through the 'run_cli' command or by injecting commands into the 'upgrade' command via the direct management command API.