Arlo Basestation Firmware Multiple Vulnerabilities

Insufficient UART Protection Mechanisms

A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are "ngroot":"ngbase".

With physical access, connecting to the serial port is relatevily trivial as it immediately drops the user to a login prompt. While the UART credentials (UART_username and UART_passwd) are encrypted in the nvram entries, the encryption key is hardcoded on the device via the PASS_ENC (GEARNET) environment variable (which is cleared after the initial boot and nvram encryption).

(AV:L/AC:L/Au:N/C:C/I:C/A:C)

Networking Misconfiguration

The base station contains two networking interfaces: an interface reserved for the internal camera network and an interface reserved for connection to the external LAN (typically the home network the base station operates from).

When connected to the same LAN as the base station, when specifying the base station as our gateway (or by adding the appropriate route to our routing table), we are able to hit the interface used for the internal camera network. This allows an attacker to probe additional services bound to this interface. In particular, the default http listener deployed by "vzdaemon" contains a "passthru" api endpoint that allows the arbitrary download or upload of files on the device. For example, simply calling "http://<internal ip of interface>/passthru/tmp/system-log" allows an attacker to download the primary logfile used for the device. While this proof of concept doesn't illustrate the most significant impact this issue can have, it nicely illustrates the functionality and demonstrates an easy test case when patching.

As "vzdaemon" runs as root, the capabilities of this passthru api endpoint could allow an attacker to completely take over the device.

(AV:A/AC:L/Au:N/C:C/I:C/A:C)

Hardcoded Private Key in Firmware Decryption

The "fwupgrade" utility on the base station contains hardcoded RSA private/public key pairs and the decryption process is now easily reversed.

----BEGIN RSA PRIVATE KEY----
MIIEpQIBAAKCAQEAxqsUswSN425Toar394cE3hf//+XlBfR5cZwpODHBj+X6UZRe
kJNlZoRH0c72D27blNf8dG2TjxsJOHm+gkoCbBz0a9ORenGNrZGZECJYDLH0MVcm
klyyh/z8cyBrMtqRiPoWzYaPN48snuUHFsF/JOVu3OIavFdu7MAGLRQ32dJeQ8Ou
ljlUK/hALVzzGseYuXHdVsj8TNIFqIvKlfMOB7T9biI8NxIoDNb8v3riHmkgSFbs
<...snipped...>
4r9QexyyduTLUQIn6MWvosMj8eG4Qp8yaLROmkb+OcJVSAX4uCp7xFNv2dT3OW++
yHcjHyECgYEAtQYGaDBpyjIgEJvAVSy0awv3zik3Ks/c5Wz4nHBV/kTB0xo5SzvM
InLrrHPVa/7oa3NMzZ5140pWuwS62rvrF7JX2kRaJ7vi3UVqmwGxGf2s9MoocS98
iSAZXhQ21meqgu5KMiLIpshrEubd3CPtq6to+yicoqXvOQ0v3DaMndU=
----END RSA PRIVATE KEY----

----BEGIN PUBLIC KEY----
MIIDRjCCAjkGByqGSM44BAEwggIsAoIBAQCPJ9cjoVgpXihsTEvSM2Murt7KBLhd
+qE0YReJWuY2JD3KbHOv6iTXSIjFKmlUR31NGhJ1FTvak5c01/mt88OXkdzRhoFy
iM49kWyx0NRntnHk8gcJFKZ29/+c+2kCHR3H2qA9ldhPEgP5xuLttui8Bd2FNKla
<...snipped...>
zZIlO6sNqrjnGBdcjmaU1N/pabNNsxwxFY/NtT5l3xInJEKUwBC/m0dUrOYqQ3pm
ljupxzfME60EEmitRXAPvgPcDyUYGqXpj9+P1vL2ANHT2tjNYk+dJJokgYmLryHs
kfHPzmcDKe0K3A7Ik/JN08TFeZZ1jkVGfwkU2Mygnkg+TU5Nc/S0irwavNf0yPdM
zv82QkIx0KB7c8mEoUTlHAnmP+cJN6yncpVAHEDgK+s+EHRHF6tYkN6V1bDgWbSd
e3jhuLWvHUjC+O9CWvekug/JjdkHJw40bUE=
----END PUBLIC KEY----