AXESS TMC X1 / X2 Multiple VUlnerabilities

AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).

These devices have default administrator credentials for the web and FTP interface: admin / admin

As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:

OperatorPassword=00000
RemotePassword=admin

[GPRS]
[..]
User=””
Password=””

[FtpClient]
ServerURL=
User=””
Password=””

[USB]
Enabled=1
PasswordUSB=00000

There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:

x1-xss1

x1-xss2

x1-xss3

For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!

x1-biometrics

The /access.cgi page can also let you manipulate access controls or disable them completely:

x1-accesscontrol

Advertisements

Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: