Saturday, January 18, 2020

[KMS Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)



El controlador modelo "BAC-A1616BC" de la firma KMS Controls cuentan con una puerta trasera sobre el servicio web que traen embebido.




Web Server Functions
  • Built-in web configuration pages allow web browser to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.)
  • Firmware upgradable (without requiring physical access) through the web or Ethernet connection, allowing easy updates
  • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

Login form




Show source code:



Download flash






#Descompile flash:
http://pdfrecover.herokuapp.com/swfdecompiler/



Use tool Binwalk, for Extract known file types 



... and searching for classic search criteria, 


Logic of login form


User: ""
Pass: "snowman"



now is possible access to new (secret) panel


Saludos,


Ezequiel

Autor

0 comentarios:

Post a Comment

 
biz.