A proof-of-concept tool demonstrating the vulnerability disclosed by WithSecure in their advisory: Paxton Net2 RCE
BSides London talk by KevTheHermit and Benything Open Sesame – All Your Doors Are Belong To Us
Important
This vulnerability has been patched by Paxton. So update your server if you haven't.
This POC demonstrates a critical vulnerability in older versions of Paxton Net2 access control systems that allowed:
- Remote code execution via SQL Server
- Extraction of access cards and credentials
- Unauthorised door control
- Camera credential harvesting
The vulnerability has been addressed by Paxton. Always ensure your Net2 systems are updated to the latest version.
- Python 3.x
- PyQt6
- pyodbc
- pycryptodome
- SQL Server Native Client 11.0 (see SQL-driver-README.txt for download link)
Install Python dependencies:
pip install PyQt6 pyodbc pycryptodomepython net2pwn_GUI.py-
Connect to Target
- Enter the IP address of the Net2 server
- Click "Get Connection String" to establish connection
- The tool will attempt authentication with default credentials
-
Select Command
- Choose from available operations:
- Dump cards: Export all access card data to a file
- Dump cameras: Extract camera server credentials
- Run command: Execute arbitrary OS commands via xp_cmdshell
- Add user: Create a new user with specified card number
- Open doors: Unlock all connected doors
- Close doors: Lock all connected doors
- Choose from available operations:
-
Configure Command Parameters
- Depending on selected command, provide required inputs:
- File paths for dumps
- Command strings for execution
- Card numbers for user creation
- Depending on selected command, provide required inputs:
-
Execute
- Click "PWN!" to execute the selected operation
- Output will appear in the console area
- Vulnerability discovered and disclosed by WithSecure
- BSides London Talk by KevTheHermit and Benything Open Sesame – All Your Doors Are Belong To Us
- POC developed for BSides London
- Thanks to the Paxtogeddon crew
- Special thanks to everyone at Paxton for fixing these issues.
This is a proof-of-concept tool. The vulnerability it exploits has been patched by Paxton. System administrators should ensure all Net2 installations are updated to the latest version to protect against this vulnerability.