← Advisories

OpenBMCS 2.4 Create Admin / Remote Privilege Escalation

High

Advisory ID

ZSL-2022-5693

Release Date

16 January 2022

Vendor

OPEN BMCS - https://www.openbmcs.com

Affected Version

2.4

CVE

N/A

Tested On

Linux Ubuntu 5.4.0-65-generic (x86_64), Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686), Apache/2.4.41 (Ubuntu), Apache/2.4.25 (Debian), nginx/1.16.1, PHP/7.4.3, PHP/7.0.33-0+deb9u9

Summary

Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.

Description

The application suffers from an insecure permissions and privilege escalation vulnerability. A regular user can create administrative users and/or elevate her privileges by sending an HTTP POST request to specific PHP scripts in '/plugins/useradmin/' directory.

Proof of Concept

openbmcs_eop.txtTXT

Disclosure Timeline

26.10.2021Vulnerability discovered.

17.11.2021Vendor contacted.

15.01.2022No response from the vendor.

16.01.2022Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/50669

[2]https://packetstormsecurity.com/files/165582

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/217374

Changelog

16.01.2022Initial release

20.01.2022Added reference [1], [2] and [3]