← Advisories

Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution

High
Advisory ID
ZSL-2015-5262
Release Date
26 September 2015
Vendor
Infinite Automation Systems Inc. - http://www.infiniteautomation.com
Affected Version
2.5.2 and 2.6.0 beta (build 327)
CVE
CVE-2015-7904
Tested On
Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the 'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'. This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).

Proof of Concept
mango_uploadexec.txtTXT
Disclosure Timeline
20.08.2015Vulnerability discovered.
25.08.2015Vendor contacted.
25.08.2015Vendor responds giving support e-mail to send details to.
25.08.2015Details sent to the support contact.
27.08.2015Asked vendor for status update.
12.09.2015No reply from the vendor.
13.09.2015Asked vendor for status update.
25.09.2015No reply from the vendor.
26.09.2015Public security advisory released.
20.10.2015Vendor releases version 2.6.0 build 430 to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38338/
[2]https://packetstormsecurity.com/files/133735
[3]https://cxsecurity.com/issue/WLB-2015090187
[4]http://infiniteautomation.com/forum/topic/1995/mango-security-testing
[5]http://infiniteautomation.com/index.php/what-s-new/entry/what-s-new-in-mango-automation-2-6-0-released-october-20th-2016
[6]http://infiniteautomation.com/forum/topic/1997/mango-automation-2-6-released
[7]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02A
[8]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7904
[9]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7904
[10]https://www.auscert.org.au/render.html?it=27342
[11]https://www.incibe.es/securityAdvice/CERT-en/Early-warning/ics-advisories/MUltiples-vulnerabilidades-Mango-Automation
[12]http://www.securiteam.com/securitynews/5CP3M1FHFQ.html
Changelog
26.09.2015Initial release
07.10.2015Added reference [1], [2] and [3]
21.10.2015Added vendor status and reference [4], [5] and [6]
29.10.2015Added reference [7], [8], [9], [10] and [11]
14.02.2016Added reference [12]