← Advisories

Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers

Medium
Advisory ID
ZSL-2016-5306
Release Date
16 February 2016
Vendor
Inductive Automation - http://www.inductiveautomation.com
Affected Version
7.8.1 (b2016012216) and 7.8.0 (b2015101414)
CVE
CVE-2015-2080
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN), Ubuntu Linux 14.04, Mac OS X, HP-UX Itanium, Jetty(9.2.z-SNAPSHOT), Java/1.8.0_73, Java/1.8.0_66
Summary

Ignition is a powerful industrial application platform with fully integrated development tools for building SCADA, MES, and IIoT solutions.

Description

Remote unauthenticated atackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following:

- On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character. - On Line 1172, the server checks if the character is a space or tab. - On Line 1175, the server checks if the character is a line feed. - If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an 'IllegalCharacter' exception on line 1186, passing in the illegal character and a shared buffer.

File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java --------------------------------------------------------------------------- 920: protected boolean parseHeaders(ByteBuffer buffer) 921: { [..snip..] 1163: case HEADER_VALUE: 1164: if (ch>HttpTokens.SPACE || ch<0) 1165: { 1166: _string.append((char)(0xff&ch)); 1167: _length=_string.length(); 1168: setState(State.HEADER_IN_VALUE); 1169: break; 1170: } 1171: 1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB) 1173: break; 1174: 1175: if (ch==HttpTokens.LINE_FEED) 1176: { 1177: if (_length > 0) 1178: { 1179: _value=null; 1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString()); 1181: } 1182: setState(State.HEADER); 1183: break; 1184: } 1185: 1186: throw new IllegalCharacter(ch,buffer);
Proof of Concept
ignition_bufferbleed.txtTXT
Disclosure Timeline
14.01.2016Vulnerability discovered.
20.01.2016Vendor contacted.
15.02.2016No response from the vendor.
16.02.2016Public security advisory released.
22.02.2016Vendor informs that version 7.8.1 is patched with Jetty 9.3.3v20150827.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
[2]https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
[3]http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
[4]https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
[6]https://cxsecurity.com/issue/WLB-2016020156
[7]https://packetstormsecurity.com/files/135804
[8]https://www.exploit-db.com/exploits/39455/
[9]http://www.vfocus.net/art/20160222/12576.html
[10]https://www.incibe.es/securityAdvice/CERT_en/ics_advisories/Inductive_Automation_Ignition
Changelog
16.02.2016Initial release
17.02.2016Added reference [6] and [7]
18.02.2016Added reference [8]
22.02.2016Added vendor status and reference [9] and [10]