OpenBMCS 2.4 Secrets Disclosure

Title: OpenBMCS 2.4 Secrets Disclosure
Advisory ID: ZSL-2022-5695
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, System Access
Risk: (4/5)
Release Date: 16.01.2022
Summary
Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.
Description
The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access.
Vendor
OPEN BMCS - https://www.openbmcs.com
Affected Version
2.4
Tested On
Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vendor Status
[26.10.2021] Vulnerability discovered.
[17.11.2021] Vendor contacted.
[15.01.2022] No response from the vendor.
[16.01.2022] Public security advisory released.
PoC
openbmcs_diri.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/165586/OpenBMCS-2.4-Secret-Disclosure.html
[2] https://www.exploit-db.com/exploits/50671
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/217380
Changelog
[16.01.2022] - Initial release
[20.01.2022] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk