Widely used Uniguest Kiosk software found exposing several sensitive details

• Researchers had found that a Uniguest website (ucrew.uniguest.com) was publicly exposed on the internet.
• The website appeared to contain all the tools that technicians would need to deploy or manage a kiosk at their locations.

Two serious flaws in Uniguest manufactured kiosk software can allow attackers to compromise users’ private details. This kiosk software is widely used by businesses in various sectors.

What’s the matter?

Researchers from Trustwave SpiderLabs had found that a Uniguest website (ucrew.uniguest.com) was publicly exposed on the internet. The website appeared to contain all the tools that technicians would need to deploy or manage a kiosk at their locations.

The website also contained an application called SystemSleuth, which could be downloaded by anyone accessing a Uniguest subdomain specifically meant for company’s technicians. This allowed the researchers to retrieve all the data dumped in the Uniguest cloud database, which included admin, router and BIOS passwords. The data also contained information about product keys and various other sensitive information related to Uniguest’s customers.

Where do the problems exist?

Trustwave researchers discovered that the publicly exposed ‘ucrew.uniguest.com’ website required no authentication for access. Furthermore, the SystemSleuth tool, which is written in C# could be easily decompiled to source code using dnSpy. SystemSleuth’s purpose is to collect asset information such as product keys, asset tags, passwords, and various other sensitive details and send them to a Salesforce API.

The second problem existed in the Salesforce API. The researchers revealed that the API is accessible via the SOAP protocol.

“The Salesforce API is accessible via the SOAP protocol, and we can use the open-source SoapUI tool to run some test queries. First, we need a session ID issued by authenticating to the Salesforce SOAP API. The server responds with a session key which we can use in subsequent requests,” researchers explained.

“We can now dump all the data in the Uniguest cloud database, which includes admin, router and BIOS passwords, product keys and various other sensitive information, for what looked like all of Uniguest's customers.”

What is the impact?

With the available information, adversaries can deploy keyloggers, remote access trojans and other malware, thus launching attacks against hotel guests or business patrons.

What is the response from Uniguest?

Uniguest has been informed about the issue following which the company has secured the vulnerable website with an authentication process. However, SystemSleuth and the API credentials may still be vulnerable and could be found managed systems, researchers noted.