(According to the following blog posting, be aware of that I’ve never bypassed any authorization mechanism, nor did I break, access or change anything I was not allowed to.)

Last weekend, I went snowboarding in the Swiss mountains and the weather including the snow was just perfect. Because the winter sport season hasn’t started yet, there wasn’t much going on in the evening and so I was using one of the public Hotspots of the hotel. As you can think, I had to make some security related stuff and so I surfed to the Hotel’s website. There are SQL injections, XSS, Local File Inclusions and much more but I don’t want to talk more about it because there was something much more interesting. Normally when you offer a Hotspot as a hotel or any other company, you should separate it from your internal LAN but don’t even think of anyone is really doing this unless they have to for any reason. So, my IP address was now 192.168.44.36 which’s an internal IP address. The next step was of course to use our all friend nmap and let’s see what I’ve got:

Interesting ports on 192.168.1.5:
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
80/tcp open http Microsoft IIS webserver 5.0

Jackpot, I’ve got a Microsoft IIS 5.0 webserver on the standard HTTP port 80 and this means hopefully an internal web application

I connected to 192.168.1.5 with my favorite web browser and wow, amazing security measures there. No sorry, I’m just joking. There where no security measures at all. I simply get a menu, where I could choose a “console”. I took the first one because the others seemed to be offline. Oh my god (who’s by the way the FSM), I was now having control over more or less the whole hotel (don’t ask me why this is the case with the product of a company describing itself as “OTRUM is a leading provider of interactive TV solutions and content to the hospitality industry.”).

Let’s have a look at who’re my neighbors:

(Click the image to enlarge)

Cool stuff, with this I even know in which language I can say good morning to my neighbors

There where much more information than just the things for the reception. When you clicked on “Main Menu”, you had several other options than just “Reception”. For example you where able to create new rooms, new employers, new TV channels, have a look at a whole bunch of statistics or define even a room’s temperature and much more. The funniest thing I found (which wasn’t used by the hotel I was in), was a statistic, checking if the mini bar has been opened and how many times. My advice if you want to make the guys at the reception looking strange at you would be to open your mini bar at least one hundred times a day

As you can think, it was fun to see all this stuff and an evil guy (or girl) could have done nasty stuff there but hey, I never had to authenticate myself so it was open to everyone and because of this it’s not illegal to just surf this “website”.

For sure this application was the most interesting thing for me but there where even more security problems like:

http://192.168.1.5/cgi-bin/thrusocket.pl?&gltemplatefile=../../../../../boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect

OK, anyone can read your data on the server but who want’s to read files if you can make an automated wake up call at 5 o’clock in the morning to every guest in the whole hotel?

There was also a Directory Listing at http://192.168.1.5/cgi-bin/ and some other not really interesting things. I can say, that I enjoyed the stay in this hotel for sure.

Lesson learned here: Don’t let security guys into your hotel if you don’t want them to have a look at your infrastructure