Niagara AX Tridium Fox Protocol Remote Information Disclosure

The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.

df:/tmp/ # nmap -p 1911 –script fox-info.nse 87.195.99.249

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 1.2.3.4 (1.2.3.4)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| fox-info:
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 3.7.106.8
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
df:/tmp/ #

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: