Visitor Kiosk Access Systems Riddled with Bugs

Student researchers working with IBM X-Force Red team find security holes in five leading visitor management systems.

Visitor-management systems protect business against physical threats such as unwanted and unidentified guests. But many of these lobby-based perimeter checkpoints are opening up companies to a bevy of cyber-threats.

On Monday, IBM’s penetration testing team, X-Force Red, released a report that outlines 19 bugs found across five leading visitor-management systems. Vulnerabilities range from data leakage, complete program takeover and the ability for a visitor to press Windows’ hotkeys to break out of the kiosk environment. Affected are systems made by HID Global (EasyLobby Solo), Threshold (eVisitorPass), Envoy (Envoy Passport) and The Receptionist (The Receptionist).

Interestingly, the research was conducted by IBM summer interns (Hannah Robbins and Scott Brink) under the guidance of the X-Force Red research team.

“These are really interesting targets. By their very nature, they are exposed to the public that has no credentials,” said Daniel Crowley, IBM X-Force Red’s research director.

Crowley said researchers had three goals in testing the visitor-management systems. “One, was how easy is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy is it to get other people’s information out of the system. And third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network,” he said.

Researchers said they were able to accomplish all three.

“Depending on how each of these systems are deployed, these vulnerabilities represent a serious to high-impact risk for companies,” Crowley said.

The X-Force Red team worked with each of the vendors in question, who have each released patches for the vulnerabilities.

The CVEs include:

CVE-2018-17482 – Lobby Track Desktop visitor records information disclosure. Lobby Track Desktop could allow a local attacker to obtain sensitive information, caused by an error in Reports while in kiosk mode. By visiting the kiosk and clicking on reports, an attacker could exploit this vulnerability to gain access to all visitor records and obtain sensitive information.

CVE-2018-17483 – Lobby Track Desktop driver’s license number information disclosure. Lobby Track Desktop could allow a local attacker to obtain sensitive information, caused by an error in Reports while in kiosk mode. By visiting the kiosk and viewing the driver’s license column, an attacker could exploit this vulnerability to view the driver’s license number and other personal information.

CVE-2018-17484 – Lobby Track Desktop database information disclosure. Lobby Track Desktop could allow a local attacker to obtain sensitive information, caused by an error in Sample Database.mdb database while in kiosk mode. By using attack vectors outlined in kiosk breakout, an attacker could exploit this vulnerability to view and edit the database.

CVE-2018-17485 – Lobby Track Desktop default account. Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.

CVE-2018-17486 Lobby Track Desktop visitor records security bypass. Lobby Track Desktop could allow a local attacker to bypass security restrictions, caused by an error in the find visitor function while in kiosk mode. By visiting the kiosk and selecting find visitor, an attacker could exploit this vulnerability to delete visitor records or remove a host.

CVE-2018-17487 – Lobby Track Desktop kiosk breakout privilege escalation. Lobby Track Desktop could allow a local attacker to gain elevated privileges on the system, caused by an error in the printer dialog. By visiting the kiosk and signing in as a visitor, an attacker could exploit this vulnerability using the command line to break out of kiosk mode.

CVE-2018-17488 – Lobby Track Desktop kiosk breakout privilege escalation. Lobby Track Desktop could allow a local attacker to gain elevated privileges on the system, caused by an error in the printer dialog. By visiting the kiosk and accessing the print badge screen, an attacker could exploit this vulnerability using the command line to break out of kiosk mode.

CVE-2018-17489 – EasyLobby Solo social security number information disclosure. EasyLobby Solo could allow a local attacker to obtain sensitive information, caused by the storing of the social security number in plaintext. By visiting the kiosk and viewing the Visitor table of the database, an attacker could exploit this vulnerability to view stored social security numbers.

CVE-2018-17490 EasyLobby Solo task manager denial of service. EasyLobby Solo is vulnerable to a denial of service. By visiting the kiosk and accessing the task manager, a local attacker could exploit this vulnerability to kill the process or launch new processes at will.

CVE-2018-17491 EasyLobby Solo program privilege escalation. EasyLobby Solo could allow a local attacker to gain elevated privileges on the system. By visiting the kiosk and typing “esc” to exit the program, an attacker could exploit this vulnerability to perform unauthorized actions on the computer.

CVE-2018-17492 EasyLobby Solo default account. EasyLobby Solo contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.

CVE-2018-17493 eVisitorPass Fullscreen button breakout privilege escalation. eVisitorPass could allow a local attacker to gain elevated privileges on the system, caused by an error with the Fullscreen button. By visiting the kiosk and clicking the full screen button in the bottom right, an attacker could exploit this vulnerability to close the program and launch other processes on the system.

CVE-2018-17494 eVisitorPass Start Menu breakout privilege escalation. eVisitorPass could allow a local attacker to gain elevated privileges on the system, caused by an error with the Virtual Keyboard Start Menu. By visiting the kiosk and pressing windows key twice, an attacker could exploit this vulnerability to close the program and launch other processes on the system.

CVE-2018-17495 eVisitorPass Help Dialog privilege escalation. eVisitorPass could allow a local attacker to gain elevated privileges on the system, caused by an error with the Virtual Keyboard Help Dialog. By visiting the kiosk and removing the program from fullscreen, an attacker could exploit this vulnerability using the terminal to launch the command prompt.

CVE-2018-17496 eVisitorPass kiosk privilege escalation. eVisitorPass could allow a local attacker to gain elevated privileges on the system, caused by an error while in kiosk mode. By visiting the kiosk and typing ctrl+shift+esc, an attacker could exploit this vulnerability to open the task manager to kill the process or launch new processes on the system.

CVE-2018-17497 eVisitorPass admin credentials default account. eVisitorPass contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.

CVE-2018-17499 Envoy Passport for Android and Envoy Passport for iPhone API key information disclosure. Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information.

CVE-2018-17500 Envoy Passport for Android and Envoy Passport for iPhone OAuth Creds information disclosure. Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of hardcoded OAuth Creds in plaintext. An attacker could exploit this vulnerability to obtain sensitive information.

CVE-2018-17502 The Receptionist for iPad contacts information disclosure. The Receptionist for iPad could allow a local attacker to obtain sensitive information, caused by an error in the contact.json file. An attacker could exploit this vulnerability to obtain the contact names, phone numbers and emails.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.