← Advisories

Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit

Medium

Advisory ID

ZSL-2019-5521

Release Date

15 May 2019

Vendor

BTicino S.p.A. - https://www.bticino.com

Affected Version

Hardware Platform: F454, Firmware version: 1.0.51, Driver Manager version: 1.1.14

CVE

CVE-2019-25244

Tested On

Apache/2.2.14 (Unix), OpenSSL/1.0.0d, PHP/5.1.6

Summary

Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

legrand_csrf.htmlTXT

Disclosure Timeline

30.04.2019Vulnerability discovered.

01.05.2019Vendor contacted.

01.05.2019Vendor responds, employee from BTicino will contact us.

14.05.2019No reply from the vendor.

15.05.2019Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/46850

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/161088

[3]https://packetstormsecurity.com/files/152940

[4]https://www.cve.org/CVERecord?id=CVE-2019-25244

Changelog

15.05.2019Initial release

17.05.2019Added reference [2] and [3]

23.03.2026Added reference [4]