KevinLAB BEMS 1.0 - Undocumented Backdoor Account

# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com

Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)

Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.

Desc: The BEMS solution has an undocumented backdoor account and these sets of
credentials are never exposed to the end-user and cannot be changed through any
normal operation of the solution thru the RMI. Attacker could exploit this
vulnerability by logging in using the backdoor account with highest privileges
for administration and gain full system control. The backdoor user cannot be
seen in the users settings in the admin panel and it also uses an undocumented
privilege level (admin_pk=1) which allows full availability of the features that
the BEMS is offering remotely.

Tested on: Linux CentOS 7
           Apache 2.4.6
           Python 2.7.5
           PHP 5.4.16
           MariaDB 5.5.68


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5654
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php


05.07.2021

--


Backdoor accounts from the DB:
------------------------------

Username: kevinlab (permission=1)
Password: kevin003

Username: developer1 (permission=6)
Password: 1234