Source
Zero Science Lab
The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The application is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the backup archive file using an HTTP GET request. The only unknown part of the filename is the hostname of the system. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
The BAS controller stores sensitive data (backup exports) in clear-text.
The BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources in the system and execute privileged functionalities.
The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause denial of service scenario.
The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text.
The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device.
The BAS controller has hidden backdoors in several binaries that serve the web application. Any unauthenticated attacker can download all the resources and binaries/services that serve the controller and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for backdoor access with full functionality of the Smart Home, Access Control and Building Automation System solutions.