Security
Headlines
HeadlinesLatestCVEs

Source

Zero Science Lab

ECOA Building Automation System Remote Privilege Escalation

The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text.

Zero Science Lab
ECOA Building Automation System Hard-coded Credentials SSH Access

The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device.

ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function

The BAS controller has hidden backdoors in several binaries that serve the web application. Any unauthenticated attacker can download all the resources and binaries/services that serve the controller and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for backdoor access with full functionality of the Smart Home, Access Control and Building Automation System solutions.

ECOA Building Automation System Cookie Poisoning Authentication Bypass

The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

ECOA Building Automation System Configuration Download Information Disclosure

The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

ECOA Building Automation System Cross-Site Request Forgery

The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site.