Key Information Vulnerability Name: FaceSentry Access Control System 6.4.8 Remote Command Injection Vulnerability ID: ZSL-2019-5523 Type: Local/Remote Impact: System Access Risk Level: 5/5 Release Date: 30.06.2019 Vulnerability Description FaceSentry 5AN is an advanced intelligent identity management device that enables access control using biometric facial recognition, contact smart cards, employee ID, or QR codes. Its QR code upgrade feature allows users to share eKeys with visitors remotely via network management tools even when away from the office, and users can monitor all activities. FaceSentry 5AN is powered via standard PoE and can be installed in minutes using only six screws, making it an enterprise-grade solution suitable for access control and attendance management. FaceSentry contains an authenticated OS command injection vulnerability, which can be exploited by using default credentials to inject and execute arbitrary commands as the root user via the 'strInIP' and 'strInPort' parameters in the 'pingTest' and 'tcpPortTest' PHP scripts. Affected Versions Firmware 6.4.8 build 264 (Algorithm A16) Firmware 5.7.2 build 568 (Algorithm A14) Firmware 5.7.0 build 539 (Algorithm A14) Test Environment Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus) Linux 3.4.113-sun8i (armv7l) PHP 7.0.30-0ubuntu0.16.04.1 php 7.0.22-0ubuntu0.16.04.1 lightpd/1.4.35 Armbian 5.38 Sunxi Linux (sun8i generation) Orange Pi PC+ Vendor Status [28.05.2019] Vulnerability discovered. [29.05.2019] Contacted vendor. [12.06.2019] No response from vendor. [13.06.2019] Contacted vendor again. [27.06.2019] Vendor still unresponsive. [28.06.2019] Contacted vendor again. [29.06.2019] Still no response from vendor. [30.06.2019] Public release of security advisory Vendor iWT Ltd. - PoC Discoverer Vulnerability discovered by Gjoko Krstic - References [1] [2] [3] [4]