Tinycontrol LAN Controller Unauthenticated Configuration Backup Vulnerability Allowing Credential Extraction

A vulnerability exists in Tinycontrol LAN Controller v3 LK3, specifically in version 1.58a, that allows remote attackers to download configuration backup files containing sensitive credentials. The vulnerability is unauthenticated, enabling attackers to retrieve the 'lk3_settings.bin' file and extract base64-encoded user and admin passwords without any authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access to user and admin credentials, which can be used to bypass security controls and gain full access to the system.

Reproduction

To reproduce this vulnerability, send a request to the device for the 'lk3_settings.bin' file. If the request is successful and the file is returned, it can be saved locally. Once the file is obtained, extract the base64-encoded passwords for the user and admin by searching for specific patterns in the file's content. Decode the extracted base64 strings to retrieve the plaintext passwords.