← Advisories

Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit

High
Advisory ID
ZSL-2015-5261
Release Date
26 September 2015
Vendor
Infinite Automation Systems Inc. - http://www.infiniteautomation.com
Affected Version
2.5.2 and 2.6.0 beta (build 327)
CVE
CVE-2015-7901
Tested On
Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

The POST parameter 'c0-param0' in the testProcessCommand.dwr method is not properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary OS commands as well as using cross-site request forgery attacks.

Proof of Concept
mango_cmdexec.txtTXT
Disclosure Timeline
20.08.2015Vulnerability discovered.
25.08.2015Vendor contacted.
25.08.2015Vendor responds giving support e-mail to send details to.
25.08.2015Details sent to the support contact.
27.08.2015Asked vendor for status update.
12.09.2015No reply from the vendor.
13.09.2015Asked vendor for status update.
25.09.2015No reply from the vendor.
26.09.2015Public security advisory released.
20.10.2015Vendor releases version 2.6.0 build 430 to address these issues.
22.12.2015Vendor releases version 2.7.0 to address additional issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38338/
[2]https://packetstormsecurity.com/files/133734
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/106864
[4]http://infiniteautomation.com/forum/topic/1995/mango-security-testing
[5]http://infiniteautomation.com/index.php/what-s-new/entry/what-s-new-in-mango-automation-2-6-0-released-october-20th-2016
[6]http://infiniteautomation.com/forum/topic/1997/mango-automation-2-6-released
[7]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02
[8]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7901
[9]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7901
[10]http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-005640.html
[11]https://www.auscert.org.au/render.html?it=27342
[12]http://www.securityweek.com/infinite-automation-patches-flaws-scadahmi-product
[13]http://www.securityfocus.com/bid/77331
[14]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02A
Changelog
26.09.2015Initial release
07.10.2015Added reference [1], [2] and [3]
21.10.2015Added vendor status and reference [4], [5] and [6]
29.10.2015Added reference [7], [8], [9], [10], [11] and [12]
08.11.2015Added reference [13]
04.01.2016Added vendor status and reference [14]