ICT Protege GX/WX 2.08 Client-Side SHA1 Password Hash Disclosure

`  
ICT Protege GX/WX 2.08 Client-Side SHA1 Password Hash Disclosure  
  
  
Vendor: Integrated Control Technology Ltd.  
Product web page: https://www.ict.co  
Affected version: GX: Ver: 2.08.1002 K1B3  
Lib: 04.00.217  
Int: 2.3.235.J013  
OS: 2.0.20  
WX: Ver: 4.00 284 H062  
App: 02.08.766  
Lib: 04.00.169  
Int: 02.2.208  
  
Summary: Protege GX is an enterprise level integrated access control, intrusion  
detection and building automation solution with a feature set that is easy to  
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,  
web-based, cross-platform system that gives you a fully functional access control  
and intrusion detection solution in a fraction of the time of conventional software.  
With no software to install, setup is quick and simple. Connect the Controller and  
system components, then open a web browser to launch the intuitive wizard-driven  
interface which guides you through the process of configuring your system.  
  
Desc: The application is vulnerable to improper access control that allows an  
authenticated operator to disclose SHA1 password hashes (client-side) of other  
users/operators.  
  
Tested on: Microsoft-WinCE/6.00  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5700  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php  
  
  
08.02.2022  
  
--  
  
  
Navigate to http://CONTROLLER_IP/operator.htm  
  
Source:  
  
<p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>  
...  
...  
<input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">  
...  
`