SOYAL Biometric Access Control System 5.0 CSRF Change Admin Password

Title: SOYAL Biometric Access Control System 5.0 CSRF Change Admin Password
Advisory ID: ZSL-2021-5632
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 18.03.2021
Summary
Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.
Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
SOYAL Technology Co., Ltd - https://www.soyal.com
Affected Version
AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Tested On
SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vendor Status
[25.01.2021] Vulnerability discovered.
[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.
PoC
soyal_csrf.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/49677
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/198551
[3] https://packetstormsecurity.com/files/161876/
[4] https://cxsecurity.com/issue/WLB-2021030132
Changelog
[18.03.2021] - Initial release
[23.03.2021] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk