http://gpsui.net complete take over of all managed tracking devices

The site gpsui.net which facilitates the master server for (to our knowledge around 615,817) GSM and GPS location tracking devices is vulnerable to multiple authorization bypasses allowing horizontal escalation of privileges which lead to the disclosure of all location tracking information stored by the site as well as controlling all the connected devices. This includes, but is not limited to, pushing commands to the connected devices.

This is especially worrisome, because this site is also used by location trackers with embedded microphones. An attacker could push commands to register a new remote phone number to devices and set them to call the number when their surrounding noise threshold surpasses a particular level. This would allow an attacker not only to listen in on the 615,817 devices, but could also allow him to monetize on them by making them call an attacker control service number and by that gaining from the service fees.

If a user has set a reply phone number via the web interface via the push commands feature this phone number can also be extracted. We, however, did not find a way to extract phone numbers directly otherwise.

Details

Alternate services

The same vulnerables are present at http://vmui.net which also allows the same login credentials as gpsui.net and also has the same device database.

Impact

An attacker can: * get the location (including unlimited history) of all tracking devices managed by gpsui.net. * change the settings of all tracking devices manged by gpsui.net * push commands to all tracking devices managed by gpsui.net

Steps to reproduce:

  1. Attacker must first login to the site http://gpsui.net to obtain the PHP session cookie value (PHPSESSID).

  2. The sn POST parameter in the above listed query URLs can be set to any username number and thus accessing any user’s data and act as that user.

PoCs

To verify these findings you can test the following proof of concept exploits.

Dump some device status’

The following bash script uses curl to dump the device status of all users of the site. The device status includes the device’s last (estimated) GPS position.

#!/bin/bash
echo "usage: poc.sh <PHPSESSID value>"
echo "Dumping gpsui.net ..."
for i in {300000..400000}; do # dumping SN's between 300k and 400k
echo -n "${i}: " # print SN
curl ######################################### REDACTED ###################################
echo
done

Running this PoC should produce the following:

$ ./poc-dumpall-getdevicestatus.sh dhlgku54jhnej2kr0h4hisk9t2
usage: poc.sh <PHPSESSID value>
Dumping gpsui.net ...
300000: [{"sn":"300000","time":"1500370858","battery":"100","charging":"0","gsmsignal":"0","gpssignal":"0","temperature":"0","lat":"44.REDACTED","lon":"125.REDACTED","radius":"1"}]
300001: [{"sn":"300001","time":"0","battery":"100","charging":"0","gsmsignal":"0","gpssignal":"0","temperature":"0","lat":null,"lon":null,"radius":"1"}]
300002: [{"sn":"300002","time":"0","battery":"0","charging":"0","gsmsignal":"0","gpssignal":"0","temperature":"0","lat":null,"lon":null,"radius":"1"}]
300003: [{"sn":"300003","time":"0","battery":"19","charging":"0","gsmsignal":"0","gpssignal":"0","temperature":"0","lat":null,"lon":null,"radius":"1"}]
...

Dump location history of one user

The following bash script uses curl to dump the location history of one particular user.

#!/bin/bash
echo "usage: poc.sh <PHPSESSID value> <SN of victim> <YYY-MM-DD>"
echo -n "${2}: "
curl ####################################### REDACTED ############################
echo

The other vulnerable URLs can be exploited in the same fashion.

Mitigation

Mitigation by the user is not possible because the affected tracking devices will connect to gpsui.net automatically when active. Our suggestion is to stop using the devices for sensitiv tracking purposes until a fix is available. Unfortunately there is no option to delete the stored tracking history from the server by the user so all users remain exposed until a vendor fix.

The following request URLs are NOT vulnerable and can aid vendor in fixing the others: * http://gpsui.net/vmui.php/Group/devicemanagelist * http://gpsui.net/vmui.php/Group/groupmanagelist

Timeline