Title: SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution Product: Freemotion.Gate Vendor: SKIDATA, http://www.skidata.com/en/ RTP|One, http://http://www.rtp.com/ Vulnerable Versions: 126.96.36.199 and likely all prior versions. Tested Version: 188.8.131.52 Original Advisory: http://keepingkidsonshred.com/2013/11/skidata-rfid-freemotiongate.html Credit: Dennis Kelly <email@example.com>
SKIDATA RFID gates have a long history of use in Europe, and in the past five years, have gained traction at mountain resorts in North America. The Freemotion.Gate is their mountain product with an RFID reader and turnstile for lift access control, integrating with their Point of Sale (PoS) system or RTP|One for tickets and passes.
The intended method for controlling the gates with RTP|One is to load the SKIDATA Monitor module within the RTP|One client application (referred to as the Container), which requires authentication and authorization to the module. A packet analysis shows the SKIDATA Monitor connects to an instance of the RTP|One Gate Service, a web service that manages one or more gates. The Gate Service server loads guest and pass information from the RTP|One database for display in the SKIDATA Monitor and also connects to another web service running on the Freemotion.Gate to open it and control operational modes. The Freemotion.Gate controller is a Atmel AT91RM9200-DK based computer running Emlix Linux and a web service on port 7777:
[SKIDATA Monitor] --- TCP port 8001 ---> [Gate Service] --- TCP port 7777 ---> [Gate]
Further inspection reveals security vulnerabilities:
Both the Gate Service and Gate are vulnerable to unauthenticated remote command execution. For the purpose of this advisory, we will focus on the SKIDATA Freemotion.Gate, as it is the most likely to not be on a separate, firewalled network, nor does it require any user information, falsified or not. Copying the XML payload for each gate command will allow an attacker to easily send a crafted message to control the gate directly. An example to manually open the gate, allowing someone through without a ticket (which at some resorts could cost close to $100):
curl -X POST --header "Content-Type:text/xml" \ --data-binary @manual-release.raw \ http://[target IP]:7777/skidata/hessian/CP > /dev/null 2>&1
Where manual-release.raw is a file containing the data payload extracted from Wireshark (or your preferred network analysis tool) Other possibilities include putting gates in different modes:
The RTP|One application is PCI compliant and customers should take necessary steps to segregate and secure their networks.
Make sure Gate Service servers and Gates are segmented from the rest of the network. Apply ACLs or firewall rules to prevent unauthorized hosts from accessing Gate Service and Gate web services.
2013-11-05: Vulnerability discovered 2013-11-06: Vendor contacted 2013-11-06: Vendor acknowledgement 2013-11-19: Vendor response 2013-11-19: Advisory released