Paxton Net2 RCE

According to the vendor, Paxton Net2 is an advanced PC based access control solution. The Net2 software offers centralised administration and control of sites with up to 1,000 doors and 50,000 users.

The system operates in a client-server model, communicating in part by passing base64-encoded XML messages via a plaintext channel.

A flaw in the handling of protocol flows allows an attacker to invoke the SetOperatorPassword functionality initially used during system setup. The function can be called pre-auth but post-setup, allowing a password overwrite of the system engineer account, effectively obtaining administrative access while denying legitimate administrators. Furthermore, as part of a broken protocol design, prior to authentication the client will invoke the GetServerConfig function, to which the server will respond with an obfuscated/encrypted version of the SQL server connection string. This string is decoded by the client, and can be recovered by reversing the obfuscation algorithm or by simply dumping the client memory.

Attackers can remotely reset the master password without prior system knowledge, allowing unfettered access to the solution. Attackers can furthermore obtain system database credentials which may be used either for data viewing or modification, or for executing OS commands on the database server via xp_cmdshell.

No flag is set marking the initial setup as complete, disabling the SetOperatorPassword feature. The protocol design allowing database credential disclosure is fundamentally flawed, and should be reworked.

Deploy network-based access controls in front of the server part of the solution; install the client locally on the server to avoid network traffic.