Saturday, January 18, 2020

[KMS Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

El controlador modelo "BAC-A1616BC" de la firma KMS Controls cuentan con una puerta trasera sobre el servicio web que traen embebido.

Web Server Functions
  • Built-in web configuration pages allow web browser to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.)
  • Firmware upgradable (without requiring physical access) through the web or Ethernet connection, allowing easy updates
  • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

[UHP Networks] Multiple Reflected XSS in UHP routers (CVE-2020-7235 - CVE-2020-7236)

UHP Networks] Multiple Reflected XSS in UHP routers

UHP Networks is a company dedicated to devolping, manufacturing and marketing of VSAT satellite networking equipment. Its main products include various UHP universal satellite routers, where the main application of these devices is broadband, SCADA and multimedia connectivity in large VSAT networks using HTS (High Throughput Satellite).

When searching for these devices in ZoomEye, I found several administration panels of the UHP-100 device, which in most cases was accessible without the need for credentials.

When accessing one of these devices, I noticed that it was possible to change any parameters of site, profiles, and network.

Reflected XSS #1

In the profiles section, the “Title” field caught my attention, which was the only one where I could enter data. So, I decided to try simple HTML payloads and javascript codes.

Before entering my payload in the field, I increased the maximum length, since it was not possible to enter more than 10 characters.

When the changes apply, the XSS was immediately triggered but I believed that this would happen by entering the profiles tab where you can see the title of all of them. Then, I reviewed the request that was sent, and I noticed that the data was sent by GET method to "http: // [IP] / cB3" interpreting them right there.

  Then I decided to go directly to the page where the data is sent, but this time I only used the “da” and “ta” parameters which correspond to the profile number and title. At the time of entering with these parameters, the XSS was once again successful.

Reflected XSS #2

I tried the same thing in the "Site name" field of the "Site setup" section, and the XSS was triggered as well.

Using these simple URLs, we can determine if our UHP device is vulnerable:

• XSS 1: http://[ IP ]/cw2?td=%22%3E%3Csvg%2Fonload%3Dalert(1)%3E
• XSS 2: http://[ IP ]/cB3?da=9&ta=%22%3E%3Csvg%2Fonload%3Dalert(1)%3E

Tested on:
Version (03.10.2017)
Version (26.01.2018)
Version 3.4.3 (18.07.2018)

[Westermo] Source Code Disclousure in Router MRD-315 (CVE-2020-7227)

Westermo is a company that provides a full range of industrial data communications solutions for demanding applications in the transport, water and energy markets among others. It has its own line of network products and one of these are the MRD Series. 

Searching for interesting devices on shodan, I came across one of these Westermo brand technologies that uses industrial routers for the different operations that ICS products do (

The device has a HTTP webpage on port 80, which allow us to enter the administration panel with the correct credentials. In this sense, the manual indicate us that the default credentials of these devices are admin:westermo, so with a bit of luck, we can enter to  these devices hosted on the internet.

One of the first things I noticed on the web page is that the device uses different URLs that end with the ASP extension, so the web page uses Visual Basic Script or Jscript in order to works. Browsing some of the device's functionalities, I began to capture some of the requests that were made in the application frontend.

In this case, I am trying to change the admin password and everything flows normally, but, if we delete a mandatory field on the request (for example, the "usr" parameter), the application crash and show us an error with all the source code.

And here is, the source code for the system.asp file. Similarly, it is possible to do this with other functionalities in order to get a huge part of the application source code. 

Let see another example. If we navigate to Network --> Diagnostics, we can excecute a ping  command in order to test the connectiĆ³n funcionality.

If we capture the request in the frontend, we can delete a mandatory parameter and reveal the application source code.

With some of patience, an attacker can reveal a huge mount of the source code, in order to search for more vulnerabilities in the web application.

This was tested on MRD-315 Firmware v1.7.4.0 and v1.7.3.0