Saturday, January 18, 2020

[KMS Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

El controlador modelo "BAC-A1616BC" de la firma KMS Controls cuentan con una puerta trasera sobre el servicio web que traen embebido.

Web Server Functions
  • Built-in web configuration pages allow web browser to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.)
  • Firmware upgradable (without requiring physical access) through the web or Ethernet connection, allowing easy updates
  • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

Login form

Show source code:

Download flash

#Descompile flash:

Use tool Binwalk, for Extract known file types 

... and searching for classic search criteria, 

Logic of login form

User: ""
Pass: "snowman"

now is possible access to new (secret) panel




0 comentarios:

Post a Comment