KevinLAB BEMS 1.0 Undocumented Backdoor Account
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management
System)
Summary: KevinLab is a venture company specialized in IoT, Big
Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management
System) enables
efficient energy management in buildings. It improves the efficient
of energy use
by collecting and analyzing various information of energy usage and
facilities in
the building. It also manages energy usage, facility efficiency and
indoor environment
control.
Desc: The BEMS solution has an undocumented backdoor account and
these sets of
credentials are never exposed to the end-user and cannot be changed
through any
normal operation of the solution thru the RMI. Attacker could
exploit this
vulnerability by logging in using the backdoor account with highest
privileges
for administration and gain full system control. The backdoor user
cannot be
seen in the users settings in the admin panel and it also uses an
undocumented
privilege level (admin_pk=1) which allows full availability of the
features that
the BEMS is offering remotely.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5654
Advisory URL:
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
05.07.2021
--
Backdoor accounts from the DB:
------------------------------
Username: kevinlab (permission=1)
Password: kevin003
Username: developer1 (permission=6)
Password: 1234