Kms Backdoor in "BACnet Building Controller" (CVE-2020-7233)

### Kms Backdoor in "BACnet Building Controller" (CVE-2020-7233) El controlador modelo "BAC-A1616BC" de la firma KMS Controls cuentan con una puerta trasera sobre el servicio web que traen embebido. [](https://1.bp.blogspot.com/-3kNWDdds8/XiPCG6UVIEI/AAAAAAAAGms/tN-X9ymGDhMqRN86DoPulirJjxtWDvZ6gCLcBGAsYHQ/s640/1_device.png) **_Web Server Functions_** - Built-in web configuration pages allow web browser to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.) - Firmware upgradable (without requiring physical access) through the web or Ethernet connection, allowing easy updates - Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher) **Login form** ** ** [](https://images.seebug.org/1583459614548-w331s) ** ** ** ** ** ** **Show source code:** [](https://images.seebug.org/1583459617354-w331s) Download flash [](https://images.seebug.org/1583459619915-w331s) [](https://images.seebug.org/1583459622953-w331s) [](https://1.bp.blogspot.com/-06fBAqeZPGQ/XiPI4UG- aII/AAAAAAAAGnM/rrOHcjidSPM8euEvp- MUChwvFJiuLKQvQCLcBGAsYHQ/s640/6_poc_flash.png) **#Descompile flash:** http://pdfrecover.herokuapp.com/swfdecompiler/ [](https://images.seebug.org/1583459692032-w331s) Use tool Binwalk, for Extract known file types [](https://images.seebug.org/1583459695335-w331s) ... and searching for classic search criteria, [](https://images.seebug.org/1583459698161-w331s) Logic of login form [](https://images.seebug.org/1583459700292-w331s) User: "" Pass: " _snowman_ " now is possible access to new (secret) panel [](https://images.seebug.org/1583459703048-w331s) Saludos, [@Capitan_Alfa](https://twitter.com/capitan_Alfa)