WEMS BEMS 21.3.1 Undocumented Backdoor Account

Title: WEMS BEMS 21.3.1 Undocumented Backdoor Account
Advisory ID: ZSL-2019-5552
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 29.12.2019
Summary
We (WEMS) offer the world's first fully wireless energy management system. Our solution enables your organization to take control of its energy costs, by monitoring lighting, heating and air conditioning equipment to identify wastage across multiple sites and start saving money instantly. Additionally, we offer a service which enables you to personally control the settings of your building - remotely, via text messaging and the internet - from wherever you happen to be in the world.
Description
The wireless BMS solution has an undocumented backdoor account that is Base64-encoded. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The check_users.sh Bash script is used to generate the default accounts on the system with their passwords and privilege level. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level 3 when using the addhttpuser program which allows full availability of the features that the WEMS is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP access using the credentials gast:glasshou or root:glasshou.
Vendor
WEMS Limited - https://www.wems.co.uk
Affected Version
Web: 21.3.1
Web: 20.0beta
Web: 19.5
Web: 18.4
Firmware: 1.26.6 (OS: 5.3)
Firmware: 1.23.7 (OS: 5.0)
Firmware: 1.21.4 (OS: 4.1a-usb)
Firmware: 1.18.0.3 (OS: i686-1.1)
Tested On
Linux 2.6.16 armv5tejl
thttpd/2.25b
Adam 7000 System
WEMS OS 5.3
Vendor Status
[06.07.2019] Vulnerability discovered.
[13.08.2019] Vendor contacted.
[29.08.2019] No response from the vendor.
[30.08.2019] Vendor contacted.
[02.09.2019] No response from the vendor.
[03.09.2019] Vendor contacted.
[28.12.2019] No response from the vendor.
[29.12.2019] Public security advisory released.
PoC
wems_backdoor.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[29.12.2019] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk