Exploits / Vulnerability Discovered : 2023-10-09 |
Type : remote |
Platform : hardware
This exploit / vulnerability Tinycontrol lan controller v3 (lk3) 1.58a remote admin password change is for educational purposes only and if it is used you will do on your own risk!
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The application suffers from an insecure access
control allowing an unauthenticated attacker to
change accounts passwords and bypass authentication
gaining panel control access.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience