The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

ECOA Building Automation System Cookie Poisoning Authentication Bypass

The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

ECOA Building Automation System Configuration Download Information Disclosure

The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site.

Source

Zero Science Lab