| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <08eab6f51bbd4792f4554cb1e4720b5c@openmailbox.org>
Date: Wed, 18 Jun 2014 19:18:38 +0000
From: gassyjack@...nmailbox.org
To: fulldisclosure@...lists.org
Subject: [FD] Vulnerabilities in CDVI ACAC22 [2-Door Controller]
Vulnerabilities in CDVI ACAC22 [2-Door Controller]
==================================================
Vulnerabilities has been found in the CDVI ACAC22 door controller web
interface. These vulnerabilities include:
- Client-side encryption for username and password without SSL
- Denial of service attacks leading to inability to use the web
interface and a possible fail-open on the lock
This issue has been assigned an ID for reference:
1dd4a586
No CVE has been assigned to this.
Contacting CVDI
===============
CVDI was reached out to but did not return any requests for assistance.
It has been decided to post this information to the Full Disclosure
mailing list.
CVDI's website is as follows:
http://www.cdvi.co.uk/
Authentication issues
=====================
Authentication is performed using RC4 to encrypt the username and MD5 to
encrypt the password at the login screen using a JavaScript function
that performs both before submitting the form data. The key used to
encrypt with RC4 is retrieved from the server and is sent with the login
details in the form of a cookie. It is also used as a salt during the
MD5 process.
An example from the JS code can be found in the 'login_preSubmit()'
function found in the main login page.
$("#login_user").val(rc4($("#login_key").val(), username_str));
$("#login_pass").val(md5($("#login_key").val() +
$("#login_password").val()));
The server checks to see if the key has been determined but it is
unknown to when it expires. The MD5 key itself is supplied in base-16
and the server application is sensitive to its case sensitivity, meaning
that the server does a comparison on the other end using the supplied
key. It also means that the server is likely storing the passwords using
plaintext.
With regards to the key exposure, there is no SSL employed on the web
interface, meaning that the key is received and sent with no encryption.
Denial of service attack
========================
One can exhaust the available login sessions and keys by making multiple
requests. The server attempts to thwart this by limiting you to at least
five sessions per IP address and user-agent, but a change in user-agent
alone will allow you to max it out at around 15.
This can lead to an inability to log into the web interface.
Additionally, the device is configured by default to fail open, meaning
that an attacker could potentially cause the door to unlock if the
system becomes overloaded in the process.
Yes. One could possibly unlock the door through a DoS attack.
Our opinion
===========
You should contact the device manufacturer for further assistance and
avoid buying the device if you’re looking to implement such a system.
Yours truly,
Gassy Jack
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists