Saturday, April 1, 2023

smilePOS RCE via MS .NET Remoting


While searching the internets for MS .NET Remoting deployments to test my service name brute force script, I stumbled on a gem. 

While testing I noticed a lot of systems with port 9099 was vulnerable to MS .NET Remoting abuse that also had a web port with a smilePOS login page served up. First I ever heard of this, so a quick Google search suggested these were a POS device of sorts, this made sense since all the ones I had found had all the same ports and services running. 

So with a bit more looking around I could confirm RCE on all found smilePOS devices, 2021.1.2103.0 is the only version tested. The service names my tool were able to identify are r1 and r2. If anyone has something to add please let me know, otherwise enjoy.

No comments: