Strumpf Noir Society Advisories

! Public release !

<--#





-= HomeSeer Directory Traversal Vulnerability =-



Release date: Thursday, December 7, 2000





Introduction:



HomeSeer is home automation software for Windows 2000, Windows NT,

Windows 98, and Windows 95 that uses inexpensive X10 technology to

control your lights, appliances, and audio/video equipment. A webserver

is build in, allowing you to even remote control your appliances over

the Internet.



HomeSeer can be found at vendor Keware's website,

http://www.keware.com





Problem:



Adding the string "../" to an URL allows an attacker to files outside

of the webserver's publishing directory. This allows read access to any

file on the server. Example: http://localhost:80/../../../autoexec.bat

reads the file "autoexec.bat" from the partition's root dir.





(..)





Solution:



Vendor has been notified and has acknowledged this problem. It has been

fixed in the 1.4.29 (beta-)version of the HomeSeer software which is

availble from http://www.keware.com/kewarebeta.htm and will be included

in the future 1.5 release.



This was tested against HomeSeer 1.4. Older versions can be expected to

vulnerable, users are encouraged to upgrade.





yadayadayada



SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)

compliant, all information is provided on AS IS basis.



EOF, but Strumpf Noir Society will return!