Title: Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure
Advisory ID: ZSL-2022-5704
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 14.04.2022

Summary

enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS.

Description

The application suffers from a cleartext transmission/storage of sensitive information in a Cookie. This allows a remote attacker to intercept the HTTP Cookie authentication credentials through a man-in-the-middle attack.

Vendor

Delta Controls Inc. - https://www.deltacontrols.com

Affected Version

3.40.3935
3.40.3706
3.33.4005

Tested On

DELTA enteliTOUCH

Vendor Status

[06.04.2022] Vulnerability discovered.
[06.04.2022] Vendor contacted.
[13.04.2022] No response from the vendor.
[14.04.2022] Public security advisory released.

PoC

entelitouch_cookie_pwd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/50880
[2] https://packetstormsecurity.com/files/166729/
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/224336
[4] https://cxsecurity.com/issue/WLB-2022040067
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29733
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-29733

Changelog

[14.04.2022] - Initial release
[20.04.2022] - Added reference [1], [2], [3] and [4]
[29.05.2022] - Added reference [5] and [6]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk