Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9
CVSSv2

CVE-2019-13143

Published: 06/08/2019 Updated: 24/08/2020
CVSS v2 Base Score: 9 | Impact Score: 8.5 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 802
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C
Subscribe to Shenzhen Dragon Brothers

Vulnerability Summary

An HTTP parameter pollution issue exists on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

shenzhen_dragon_brothers fb50_firmware 2.3

Github Repositories

https://github.com/securelayer7/pwnfb50

πŸ”“ transfer ownership of any FB50 smart lock to yourself (CVE-2019-13143)

pwnfb50 Transfer ownership of any FB50 smart lock to yourself (CVE-2019-13143) PoC Video Usage $ python3 pwnfb50py [id] [mac] Where id is your user ID, and the mac is your lock's MAC address

https://github.com/icyphox/pwnfb50

πŸ”“ transfer ownership of any FB50 smart lock to yourself (CVE-2019-13143)

pwnfb50 Transfer ownership of any FB50 smart lock to yourself (CVE-2019-13143) PoC Video Usage $ python3 pwnfb50py [id] [mac] Where id is your user ID, and the mac is your lock's MAC address

References

CWE-20http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/https://nvd.nist.govhttps://github.com/securelayer7/pwnfb50
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook