← Advisories

Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability

Medium
Advisory ID
ZSL-2015-5260
Release Date
26 September 2015
Vendor
Infinite Automation Systems Inc. - http://www.infiniteautomation.com
Affected Version
2.5.2 and 2.6.0 beta (build 327)
CVE
CVE-2015-7900
Tested On
Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions. Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated.

Proof of Concept
mango_info.txtTXT
Disclosure Timeline
20.08.2015Vulnerability discovered.
25.08.2015Vendor contacted.
25.08.2015Vendor responds giving support e-mail to send details to.
25.08.2015Details sent to the support contact.
27.08.2015Asked vendor for status update.
12.09.2015No reply from the vendor.
13.09.2015Asked vendor for status update.
25.09.2015No reply from the vendor.
26.09.2015Public security advisory released.
20.10.2015Vendor releases version 2.6.0 build 430 to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38338/
[2]https://packetstormsecurity.com/files/133733
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/106939
[4]http://infiniteautomation.com/forum/topic/1995/mango-security-testing
[5]http://infiniteautomation.com/index.php/what-s-new/entry/what-s-new-in-mango-automation-2-6-0-released-october-20th-2016
[6]http://infiniteautomation.com/forum/topic/1997/mango-automation-2-6-released
[7]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02A
[8]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7900
[9]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7900
[10]http://www.nsfocus.net/vulndb/31398
[11]https://www.auscert.org.au/render.html?it=27342
[12]http://www.scip.ch/en/?vuldb.78931
Changelog
26.09.2015Initial release
07.10.2015Added reference [1], [2] and [3]
21.10.2015Added vendor status and reference [4], [5] and [6]
29.10.2015Added reference [7], [8], [9], [10], [11] and [12]