Tuesday, July 21, 2020

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.

Web Server Functions

    • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
    • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
    • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

    The steps to identify the "back door" are briefly described below.

    Login form:


    Show source code:

    Download flash:

    Descompile flash:

    Use the Binwalk tool to Extract known file types

     ... and to lookup classic search criteria,

    Logic of login form

    User: ""
    Pass: "snowman"

    we are now able to access the new (secret) panel


    No comments:

    Post a Comment