Headline
Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC
An unauthenticated attacker can retrieve the controller’s configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.
Title: Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC
Advisory ID: ZSL-2023-5786
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (5/5)
Release Date: 01.09.2023
Summary
Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.
Description
An unauthenticated attacker can retrieve the controller’s configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.
Vendor
Tinycontrol - https://www.tinycontrol.pl
Affected Version
<=1.58a, HW 3.8
Tested On
lwIP
Vendor Status
[18.08.2023] Vulnerability discovered.
[19.08.2023] Vendor contacted.
[31.08.2023] No response from the vendor.
[01.09.2023] Public security advisory released.
PoC
lk3_backup.py
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
N/A
Changelog
[01.09.2023] - Initial release
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]