Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service Exploit

Title: Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service Exploit
Advisory ID: ZSL-2023-5785
Type: Local/Remote
Impact: Security Bypass, DoS
Risk: (4/5)
Release Date: 31.08.2023
Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.
The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
Tinycontrol - https://www.tinycontrol.pl
Affected Version
<=1.58a, HW 3.8
Tested On
Vendor Status
[18.08.2023] Vulnerability discovered.
[19.08.2023] Vendor contacted.
[30.08.2023] No response from the vendor.
[31.08.2023] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://packetstormsecurity.com/files/174455/
[2] https://cxsecurity.com/issue/WLB-2023090012
[3] https://www.exploit-db.com/exploits/51730
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/275810
[31.08.2023] - Initial release
[22.09.2023] - Added reference [1] and [2]
[12.10.2023] - Added reference [3]
[14.02.2024] - Added reference [4]
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk