Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit
Title: Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit
Advisory ID: ZSL-2019-5521
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.05.2019
Firmware version: 1.0.51
Driver Manager version: 1.1.14
OpenSSL/1.0.0d
PHP/5.1.6
[01.05.2019] Vendor contacted.
[01.05.2019] Vendor responds, employee from BTicino will contact us.
[14.05.2019] No reply from the vendor.
[15.05.2019] Public security advisory released.
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/161088
[3] https://packetstormsecurity.com/files/152940
[17.05.2019] - Added reference [2[ and [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2019-5521
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.05.2019
Summary
Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV.Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
BTicino S.p.A. - https://www.bticino.comAffected Version
Hardware Platform: F454Firmware version: 1.0.51
Driver Manager version: 1.1.14
Tested On
Apache/2.2.14 (Unix)OpenSSL/1.0.0d
PHP/5.1.6
Vendor Status
[30.04.2019] Vulnerability discovered.[01.05.2019] Vendor contacted.
[01.05.2019] Vendor responds, employee from BTicino will contact us.
[14.05.2019] No reply from the vendor.
[15.05.2019] Public security advisory released.
PoC
legrand_csrf.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/46850[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/161088
[3] https://packetstormsecurity.com/files/152940
Changelog
[15.05.2019] - Initial release[17.05.2019] - Added reference [2[ and [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk