exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CDVI ACAC22 Authentication / Denial Of Service

CDVI ACAC22 Authentication / Denial Of Service
Posted Jun 18, 2014
Authored by Gassy Jack

CDVI ACAC22 suffers from a lack of transport encryption for authentication and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability
SHA-256 | 047f2ac3e771278a841178d716fb08b78428f50401ded7587c85313fcd19564c

CDVI ACAC22 Authentication / Denial Of Service

Change Mirror Download
Vulnerabilities in CDVI ACAC22 [2-Door Controller]
==================================================
Vulnerabilities has been found in the CDVI ACAC22 door controller web
interface. These vulnerabilities include:

- Client-side encryption for username and password without SSL
- Denial of service attacks leading to inability to use the web
interface and a possible fail-open on the lock

This issue has been assigned an ID for reference:
1dd4a586

No CVE has been assigned to this.

Contacting CVDI
===============
CVDI was reached out to but did not return any requests for assistance.
It has been decided to post this information to the Full Disclosure
mailing list.

CVDI's website is as follows:
http://www.cdvi.co.uk/

Authentication issues
=====================
Authentication is performed using RC4 to encrypt the username and MD5 to
encrypt the password at the login screen using a JavaScript function
that performs both before submitting the form data. The key used to
encrypt with RC4 is retrieved from the server and is sent with the login
details in the form of a cookie. It is also used as a salt during the
MD5 process.

An example from the JS code can be found in the 'login_preSubmit()'
function found in the main login page.

$("#login_user").val(rc4($("#login_key").val(), username_str));
$("#login_pass").val(md5($("#login_key").val() +
$("#login_password").val()));

The server checks to see if the key has been determined but it is
unknown to when it expires. The MD5 key itself is supplied in base-16
and the server application is sensitive to its case sensitivity, meaning
that the server does a comparison on the other end using the supplied
key. It also means that the server is likely storing the passwords using
plaintext.

With regards to the key exposure, there is no SSL employed on the web
interface, meaning that the key is received and sent with no encryption.

Denial of service attack
========================
One can exhaust the available login sessions and keys by making multiple
requests. The server attempts to thwart this by limiting you to at least
five sessions per IP address and user-agent, but a change in user-agent
alone will allow you to max it out at around 15.

This can lead to an inability to log into the web interface.

Additionally, the device is configured by default to fail open, meaning
that an attacker could potentially cause the door to unlock if the
system becomes overloaded in the process.

Yes. One could possibly unlock the door through a DoS attack.

Our opinion
===========
You should contact the device manufacturer for further assistance and
avoid buying the device if you’re looking to implement such a system.

Yours truly,
Gassy Jack


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close