OpenBMCS 2.4 Create Admin / Remote Privilege Escalation

Title: OpenBMCS 2.4 Create Admin / Remote Privilege Escalation
Advisory ID: ZSL-2022-5693
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 16.01.2022
Summary
Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.
Description
The application suffers from an insecure permissions and privilege escalation vulnerability. A regular user can create administrative users and/or elevate her privileges by sending an HTTP POST request to specific PHP scripts in '/plugins/useradmin/' directory.
Vendor
OPEN BMCS - https://www.openbmcs.com
Affected Version
2.4
Tested On
Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vendor Status
[26.10.2021] Vulnerability discovered.
[17.11.2021] Vendor contacted.
[15.01.2022] No response from the vendor.
[16.01.2022] Public security advisory released.
PoC
openbmcs_eop.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/50669
[2] https://packetstormsecurity.com/files/165582
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/217374
Changelog
[16.01.2022] - Initial release
[20.01.2022] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk