Tuesday, July 21, 2020

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.




Web Server Functions

    • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
    • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
    • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

    The steps to identify the "back door" are briefly described below.


    Login form:

     


    Show source code:



    Download flash:





    Descompile flash:
    http://pdfrecover.herokuapp.com/swfdecompiler/




    Use the Binwalk tool to Extract known file types




     ... and to lookup classic search criteria,


     
    Logic of login form


    User: ""
    Pass: "snowman"


    we are now able to access the new (secret) panel





    @_IndustrialArmy 

    No comments:

    Post a Comment