Recently, a blog post on Trendmicro disclosed a remote, unauthenticated, command injection vulnerability for HID’s VertX and Edge door controller platforms. This vulnerability immediately sparked my interest and I went shopping. I was lucky enough to find a lot of 2 Edge Evo EH400’s on ebay for a fairly reasonable price. Having little doubt that I was going to break at least one of them, this seemed like the perfect purchase.
As soon as they arrived, I networked them up and got to exploring. I knew I needed an end goal lest I go down the never ending “what else can I do” rabbit hole. I decided my end goal was to leverage the command injection vulnerability to open the door, while noting any other potential attack vectors on the way.
Both controllers were set to static IP addresses so I had to reset the networking, which was fairly simple. Additionally, the same process also reset the password for http(s). With a little extra work, I probably could have avoided this step, but excitement got the best of me. Reseting the networking changed the device from Static to DHCP. Using the readily available HID Discovery GUI, I was able to identify their IP addresses with relative ease. We’ll talk more about the discovery GUI and it’s related service a bit later. Read More …