53 lines
No EOL
1.8 KiB
Text
53 lines
No EOL
1.8 KiB
Text
# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account
|
|
# Date: 05.07.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: http://www.kevinlab.com
|
|
|
|
Vendor: KevinLAB Inc.
|
|
Product web page: http://www.kevinlab.com
|
|
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
|
|
|
|
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
|
|
management platform. KevinLAB's BEMS (Building Energy Management System) enables
|
|
efficient energy management in buildings. It improves the efficient of energy use
|
|
by collecting and analyzing various information of energy usage and facilities in
|
|
the building. It also manages energy usage, facility efficiency and indoor environment
|
|
control.
|
|
|
|
Desc: The BEMS solution has an undocumented backdoor account and these sets of
|
|
credentials are never exposed to the end-user and cannot be changed through any
|
|
normal operation of the solution thru the RMI. Attacker could exploit this
|
|
vulnerability by logging in using the backdoor account with highest privileges
|
|
for administration and gain full system control. The backdoor user cannot be
|
|
seen in the users settings in the admin panel and it also uses an undocumented
|
|
privilege level (admin_pk=1) which allows full availability of the features that
|
|
the BEMS is offering remotely.
|
|
|
|
Tested on: Linux CentOS 7
|
|
Apache 2.4.6
|
|
Python 2.7.5
|
|
PHP 5.4.16
|
|
MariaDB 5.5.68
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5654
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
|
|
|
|
|
|
05.07.2021
|
|
|
|
--
|
|
|
|
|
|
Backdoor accounts from the DB:
|
|
------------------------------
|
|
|
|
Username: kevinlab (permission=1)
|
|
Password: kevin003
|
|
|
|
Username: developer1 (permission=6)
|
|
Password: 1234 |