← Advisories

Mango Automation 2.6.0 User Enumeration Weakness

Low
Advisory ID
ZSL-2015-5256
Release Date
26 September 2015
Vendor
Infinite Automation Systems Inc. - http://www.infiniteautomation.com
Affected Version
2.5.2 and 2.6.0 beta (build 327)
CVE
CVE-2015-7902
Tested On
Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

The weakness is caused due to the 'login.htm' script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected node.

Proof of Concept
mango_userenum.txtTXT
Disclosure Timeline
20.08.2015Vulnerability discovered.
25.08.2015Vendor contacted.
25.08.2015Vendor responds giving support e-mail to send details to.
25.08.2015Details sent to the support contact.
27.08.2015Asked vendor for status update.
12.09.2015No reply from the vendor.
13.09.2015Asked vendor for status update.
25.09.2015No reply from the vendor.
26.09.2015Public security advisory released.
20.10.2015Vendor releases version 2.6.0 build 430 to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38338/
[2]https://packetstormsecurity.com/files/133726
[3]https://cxsecurity.com/issue/WLB-2015090185
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/106937
[5]http://infiniteautomation.com/forum/topic/1995/mango-security-testing
[6]http://infiniteautomation.com/index.php/what-s-new/entry/what-s-new-in-mango-automation-2-6-0-released-october-20th-2016
[7]http://infiniteautomation.com/forum/topic/1997/mango-automation-2-6-released
[8]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02A
[9]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7902
[10]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7902
[11]http://www.cnnvd.org.cn/vulnerability/show/cv_id/2015100682
[12]https://www.auscert.org.au/render.html?it=27342
Changelog
26.09.2015Initial release
07.10.2015Added reference [1], [2], [3] and [4]
21.10.2015Added vendor status and reference [5], [6] and [7]
29.10.2015Added reference [8], [9], [10], [11] and [12]