Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

OpenBMCS 2.4 Secrets Disclosure

By kannthu

High
Vidoc logoVidoc Module
#misconfig#edb#openbmcs
Description

What is the "OpenBMCS 2.4 Secrets Disclosure?" module?

The "OpenBMCS 2.4 Secrets Disclosure" module is designed to detect a misconfiguration vulnerability in the OpenBMCS software version 2.4. This vulnerability allows an attacker to gain access to sensitive files and potentially exploit the disclosed information to gain full BMS (Building Management System) access. The severity of this vulnerability is classified as high.

This module was authored by dhiyaneshDK.

Impact

If successfully exploited, the "OpenBMCS 2.4 Secrets Disclosure" vulnerability can lead to unauthorized access to sensitive files and potentially compromise the entire BMS system. This can result in unauthorized control over building operations, potentially causing disruptions, privacy breaches, and other security risks.

How does the module work?

The "OpenBMCS 2.4 Secrets Disclosure" module works by sending an HTTP GET request to the "/debug/" path of the target OpenBMCS system. It then applies matching conditions to determine if the vulnerability is present.

One example of a matching condition is checking if the response body contains the words "change_password_sqls" and "Index of /debug". Additionally, the module checks if the HTTP response status is 200.

If all matching conditions are met, the module reports the vulnerability, indicating that the target OpenBMCS system is misconfigured and susceptible to secrets disclosure.

For more information, you can refer to the exploit-db.com reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/debug/
Matching conditions
word: change_password_sqls, Index of /debugand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability