AVE DOMINAplus <=1.10.x Authentication Bypass Exploit

2019-12-27T00:00:00

Description

Title: AVE DOMINAplus <=1.10.x Authentication Bypass Exploit Advisory ID: [ZSL-2019-5549](<ZSL-2019-5549.php>) Type: Local/Remote Impact: System Access, Security Bypass Risk: (5/5) Release Date: 27.12.2019 ##### Summary DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. Designed to revolutionize your concept of living. DOMINA plus is the AVE home automation proposal that makes houses safer, more welcoming and optimized. In fact, our home automation system introduces cutting-edge technologies, designed to improve people's lifestyle. DOMINA plus increases comfort, the level of safety and security and offers advanced supervision tools in order to learn how to evaluate and reduce consumption through various solutions dedicated to energy saving. ##### Description DOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials. ##### Vendor AVE S.p.A. - <https://www.ave.it> ##### Affected Version Web Server Code 53AB-WBS - 1.10.62 Touch Screen Code TS01 - 1.0.65 Touch Screen Code TS03x-V | TS04X-V - 1.10.45a Touch Screen Code TS05 - 1.10.36 Models: 53AB-WBS TS01 TS03V TS04X-V TS05N-V App version: 1.10.77 App version: 1.10.65 App version: 1.10.64 App version: 1.10.62 App version: 1.10.60 App version: 1.10.52 App version: 1.10.52A App version: 1.10.49 App version: 1.10.46 App version: 1.10.45 App version: 1.10.44 App version: 1.10.35 App version: 1.10.25 App version: 1.10.22 App version: 1.10.11 App version: 1.8.4 App version: TS1-1.0.65 App version: TS1-1.0.62 App version: TS1-1.0.44 App version: TS1-1.0.10 App version: TS1-1.0.9 ##### Tested On GNU/Linux 4.1.19-armv7-x7 GNU/Linux 3.8.13-bone50/bone71.1/bone86 Apache/2.4.7 (Ubuntu) Apache/2.2.22 (Debian) PHP/5.5.9-1ubuntu4.23 PHP/5.4.41-0+deb7u1 PHP/5.4.36-0+deb7u3 ##### Vendor Status [06.10.2019] Vulnerability discovered. [14.10.2019] Vendor contacted. [20.10.2019] No response from the vendor. [21.10.2019] Vendor contacted. [26.12.2019] No response from the vendor. [27.12.2019] Public security advisory released. ##### PoC [dominaplus_disableauth.txt](<../../codes/dominaplus_disableauth.txt>) ##### Credits Vulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)> ##### References [1] <https://packetstormsecurity.com/files/155762> [2] <https://www.exploit-db.com/exploits/47822> [3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173619> [4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21991> [5] <https://nvd.nist.gov/vuln/detail/CVE-2020-21991> [6] <https://security-tracker.debian.org/tracker/CVE-2020-21991> ##### Changelog [27.12.2019] - Initial release [29.12.2019] - Added reference [1] [24.01.2020] - Added reference [2] and [3] [19.06.2021] - Added reference [4], [5] and [6] ##### Contact Zero Science Lab Web: <http://www.zeroscience.mk> e-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)

{"id": "ZSL-2019-5549", "vendorId": null, "type": "zeroscience", "bulletinFamily": "exploit", "title": "AVE DOMINAplus <=1.10.x Authentication Bypass Exploit", "description": "Title: AVE DOMINAplus <=1.10.x Authentication Bypass Exploit \nAdvisory ID: [ZSL-2019-5549](<ZSL-2019-5549.php>) \nType: Local/Remote \nImpact: System Access, Security Bypass \nRisk: (5/5) \nRelease Date: 27.12.2019 \n\n\n##### Summary\n\nDOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. Designed to revolutionize your concept of living. DOMINA plus is the AVE home automation proposal that makes houses safer, more welcoming and optimized. In fact, our home automation system introduces cutting-edge technologies, designed to improve people's lifestyle. DOMINA plus increases comfort, the level of safety and security and offers advanced supervision tools in order to learn how to evaluate and reduce consumption through various solutions dedicated to energy saving. \n\n##### Description\n\nDOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials. \n\n##### Vendor\n\nAVE S.p.A. - <https://www.ave.it>\n\n##### Affected Version\n\nWeb Server Code 53AB-WBS - 1.10.62 \nTouch Screen Code TS01 - 1.0.65 \nTouch Screen Code TS03x-V | TS04X-V - 1.10.45a \nTouch Screen Code TS05 - 1.10.36 \nModels: 53AB-WBS \nTS01 \nTS03V \nTS04X-V \nTS05N-V \nApp version: 1.10.77 \nApp version: 1.10.65 \nApp version: 1.10.64 \nApp version: 1.10.62 \nApp version: 1.10.60 \nApp version: 1.10.52 \nApp version: 1.10.52A \nApp version: 1.10.49 \nApp version: 1.10.46 \nApp version: 1.10.45 \nApp version: 1.10.44 \nApp version: 1.10.35 \nApp version: 1.10.25 \nApp version: 1.10.22 \nApp version: 1.10.11 \nApp version: 1.8.4 \nApp version: TS1-1.0.65 \nApp version: TS1-1.0.62 \nApp version: TS1-1.0.44 \nApp version: TS1-1.0.10 \nApp version: TS1-1.0.9 \n\n##### Tested On\n\nGNU/Linux 4.1.19-armv7-x7 \nGNU/Linux 3.8.13-bone50/bone71.1/bone86 \nApache/2.4.7 (Ubuntu) \nApache/2.2.22 (Debian) \nPHP/5.5.9-1ubuntu4.23 \nPHP/5.4.41-0+deb7u1 \nPHP/5.4.36-0+deb7u3 \n\n##### Vendor Status\n\n[06.10.2019] Vulnerability discovered. \n[14.10.2019] Vendor contacted. \n[20.10.2019] No response from the vendor. \n[21.10.2019] Vendor contacted. \n[26.12.2019] No response from the vendor. \n[27.12.2019] Public security advisory released. \n\n##### PoC\n\n[dominaplus_disableauth.txt](<../../codes/dominaplus_disableauth.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://packetstormsecurity.com/files/155762> \n[2] <https://www.exploit-db.com/exploits/47822> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173619> \n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21991> \n[5] <https://nvd.nist.gov/vuln/detail/CVE-2020-21991> \n[6] <https://security-tracker.debian.org/tracker/CVE-2020-21991>\n\n##### Changelog\n\n[27.12.2019] - Initial release \n[29.12.2019] - Added reference [1] \n[24.01.2020] - Added reference [2] and [3] \n[19.06.2021] - Added reference [4], [5] and [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "published": "2019-12-27T00:00:00", "modified": "2019-12-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php", "reporter": "Gjoko Krstic", "references": [], "cvelist": ["CVE-2020-21991"], "immutableFields": [], "lastseen": "2021-12-12T07:54:34", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-21991"]}]}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-21991"]}, {"type": "nessus", "idList": ["OPENSUSE-2017-662.NASL", "SUSE_SU-2017-1445-1.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:3B05FD25F1EFE431C23369F5790520EB"]}]}, "exploitation": null, "vulnersScore": 4.7}, "sourceHref": "http://zeroscience.mk/codes/dominaplus_disableauth.txt", "sourceData": "<html><body><p>AVE DOMINAplus <=1.10.x Authentication Bypass Exploit\r\n\r\n\r\nVendor: AVE S.p.A.\r\nProduct web page: https://www.ave.it | https://www.domoticaplus.it\r\nAffected version: Web Server Code 53AB-WBS - 1.10.62\r\n Touch Screen Code TS01 - 1.0.65\r\n Touch Screen Code TS03x-V | TS04X-V - 1.10.45a\r\n Touch Screen Code TS05 - 1.10.36\r\n Models: 53AB-WBS\r\n TS01\r\n TS03V\r\n TS04X-V\r\n TS05N-V\r\n App version: 1.10.77\r\n App version: 1.10.65\r\n App version: 1.10.64\r\n App version: 1.10.62\r\n App version: 1.10.60\r\n App version: 1.10.52\r\n App version: 1.10.52A\r\n App version: 1.10.49\r\n App version: 1.10.46\r\n App version: 1.10.45\r\n App version: 1.10.44\r\n App version: 1.10.35\r\n App version: 1.10.25\r\n App version: 1.10.22\r\n App version: 1.10.11\r\n App version: 1.8.4\r\n App version: TS1-1.0.65\r\n App version: TS1-1.0.62\r\n App version: TS1-1.0.44\r\n App version: TS1-1.0.10\r\n App version: TS1-1.0.9\r\n\r\nSummary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.\r\nDesigned to revolutionize your concept of living. DOMINA plus is the AVE home\r\nautomation proposal that makes houses safer, more welcoming and optimized. In\r\nfact, our home automation system introduces cutting-edge technologies, designed\r\nto improve people's lifestyle. DOMINA plus increases comfort, the level of safety\r\nand security and offers advanced supervision tools in order to learn how to\r\nevaluate and reduce consumption through various solutions dedicated to energy\r\nsaving.\r\n\r\nDesc: DOMINAplus suffers from an authentication bypass vulnerability due to missing\r\ncontrol check when directly calling the autologin GET parameter in changeparams.php\r\nscript. Setting the autologin value to 1 allows an unauthenticated attacker to\r\npermanently disable the authentication security control and access the management\r\ninterface with admin privileges without providing credentials.\r\n\r\nTested on: GNU/Linux 4.1.19-armv7-x7\r\n GNU/Linux 3.8.13-bone50/bone71.1/bone86\r\n Apache/2.4.7 (Ubuntu)\r\n Apache/2.2.22 (Debian)\r\n PHP/5.5.9-1ubuntu4.23\r\n PHP/5.4.41-0+deb7u1\r\n PHP/5.4.36-0+deb7u3\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2019-5549\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php\r\n\r\n\r\n06.10.2019\r\n\r\n--\r\n\r\n\r\n#\r\n# Mina... Mina, open your eyes!\r\n#\r\n\r\n$ curl -s http://192.168.1.10/changeparams.php?operazione=3&autologin=1\r\n1\r\n</p></body></html>", "impact": "System Access, Security Bypass", "exploit_type": "Local/Remote", "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T15:09:04", "description": "AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T14:15:00", "type": "cve", "title": "CVE-2020-21991", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-21991"], "modified": "2021-05-19T19:20:00", "cpe": ["cpe:/o:ave:ts03x-v_firmware:1.10.45a", "cpe:/o:ave:ts01_firmware:1.0.65", "cpe:/o:ave:ts05_firmware:1.10.36", "cpe:/a:ave:dominaplus:1.10.77", "cpe:/o:ave:ts05n-v_firmware:-", "cpe:/o:ave:53ab-wbs_firmware:1.10.62", "cpe:/o:ave:ts04x-v_firmware:1.10.45a"], "id": "CVE-2020-21991", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21991", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:ave:ts01_firmware:1.0.65:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts04x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe:2.3:a:ave:dominaplus:1.10.77:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts05n-v_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts03x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe:2.3:o:ave:53ab-wbs_firmware:1.10.62:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts05_firmware:1.10.36:*:*:*:*:*:*:*"]}]}

AVE DOMINAplus &lt;=1.10.x Authentication Bypass Exploit

Description

Related

AVE DOMINAplus <=1.10.x Authentication Bypass Exploit