Title: OpenBMCS 2.4 Secrets Disclosure
Advisory ID: ZSL-2022-5695
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, System Access
Risk: (4/5)
Release Date: 16.01.2022

Summary

Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.

Description

The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access.

Vendor

OPEN BMCS - https://www.openbmcs.com

Affected Version

2.4

Tested On

Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9

Vendor Status

[26.10.2021] Vulnerability discovered.
[17.11.2021] Vendor contacted.
[15.01.2022] No response from the vendor.
[16.01.2022] Public security advisory released.

PoC

openbmcs_diri.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/165586/OpenBMCS-2.4-Secret-Disclosure.html
[2] https://www.exploit-db.com/exploits/50671
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/217380

Changelog

[16.01.2022] - Initial release
[20.01.2022] - Added reference [1], [2] and [3]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk