Logo

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.

 

 

Web Server Functions

  • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
  • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
  • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

The steps to identify the "back door" are briefly described below.

 

Login form:

 

 

Show source code:

 

 

Download flash:

 

Descompile flash:

http://pdfrecover.herokuapp.com/swfdecompiler/

 

Use the Binwalk tool to Extract known file types

 

 ... and to lookup classic search criteria,

Logic of login form

 

User: ""
Pass: "snowman"

 

we are now able to access the new (secret) panel

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

Alle Blog-Posts