Vulnerability found in Virtual Reception Kiosk

We are proud to announce that the vulnerability CVE-2023-25289, discovered by security researchers from Spinae, has been recognized.

Virtual Reception Kiosk

During a Pentest for a customer, our security researcher Mattias noticed a virtual reception kiosk was being used to register visitors.

This virtual reception kiosk is stationed at the entrance of the customers’ office. Visitors must register their name and reason for visit in the kiosk before entering the building. From this kiosk, visitors can also call or email the person they are visiting. A built-in webcam at the top of the kiosk enables employees to verify that the visitor is who they claim to be.
Internal Pentest

During the internal pentest part of our Security MRI, the internal network of the customer is scanned to discover what devices are connected to the customers’ network. Mattias discovered that the Kiosk was connected to the internal network of the customer. Upon closer investigation, the kiosk was an Intel NUC running Microsoft Windows 7 with the kiosk software.

After testing the machine, we noticed that you could traverse the directory of the machine through a web browser by entering the IP-address of the machine and a directory path.

For example, you could open the windows host file by entering the following path in the browser:

http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts

What can be done with this?

This directory traversing vulnerability can be misused for a range of things. Here are a few examples:

  • Read the visitor logbook and know who visited the customer
  • Read the email addresses of employees imported in the kiosk 
  • See live video footage of the webcam at the top of the kiosk

How are these things possible? This is explained in detail below.

Read the visitor logbook

The visitor logbook is just a file on the machine and could be accessed with entering the following path in the browser:

http://[ip address]/visitors.csv

Read the e-mail addresses of employees

From the kiosk, employees can be notified via email that the visitor arrived at the office. For this to be possible, all email addresses are imported on the kiosk from the Active Directory. This is just a file, located on the kiosk that can be accessed by entering the file path in the browser.

See live footage of the webcam

Employees can access the webcam of the kiosk to verify who is at the front door. This is a 24/7 livestream of the webcam that is accessed once the employee clicks on a button. Every employee can access this footage and no username or password is needed to view it. This means that we, as a simulated attacker, could also access this livestream!

What can you do to prevent this?

The vendor of the virtual reception kiosk can disable directory traversal over network. The vendor could also protect the webcam livestream with a strong username and password.

However, you can’t always fully rely on the vendor to make everything secure. You can take some protective measures as well. For example, you can segregate your network and put the virtual reception kiosk in a separated segment of your network, with strict segmentation firewall rules (deny-by-default, allow-by-exception).

Are you uncertain about the security of some devices in your network? We can help test these devices and the rest of your network for you!
Interested? Feel free to take contact with us!