Posts Tagged ‘Information Disclosure’

MODBUS Application Protocol 1.1b System Information Remote Disclosure

May 7, 2015

According to Wikipedia:

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.

This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.

6.21 43 / 14 (0x2B / 0x0E) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems:

modbus0

modbus1

modbus2

Advertisements

Niagara AX Tridium Fox Protocol Remote Information Disclosure

April 29, 2015

The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.

df:/tmp/ # nmap -p 1911 –script fox-info.nse 87.195.99.249

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 1.2.3.4 (1.2.3.4)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| fox-info:
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 3.7.106.8
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
df:/tmp/ #

Rockwell Automation 176x PLC Controllers Remote Information Disclosure

April 24, 2015

Allen-Bradley is a division of Rockwell Automation who makes a line of programmable logic controllers (PLC) under the MicroLogix and CompactLogix brands. Several models have a web interface that doesn’t require authentication. These include:

This allows a remote attacker get a lot of information including:

  • Internal IP address (/index.html?redirect=/home.asp and /diagnetwork.asp)
  • List of remote IP connections (/rokform/advancedDiags?pageReq=tcpconn)
  • Network settings
  • Application connections
  • Bridge connections
  • Ethernet statistics
  • Ring statistics
  • Network diagnostics
  • System data
  • Event log
  • Assert log
  • .. and more

Mitsubishi Programmable Controller, High Speed Data Logger Module Internal IP Disclosure

April 23, 2015

The Mitsubishi Programmable Controller, High Speed Data Logger Module has a web interface that does not require authentication. However the Internet facing service still discloses an internal IP address for the link to the FTP server even if it is not Internet facing.

mitsubishi-qd81dl96-ip_disclosure

Lexmark 4000E Remote Information Disclosure

January 9, 2014

A friend pointed out Lexmark 4000E printers (Shodan search) were responsive to commands via the old finger protocol. He also pointed out there is a blog about this and a lot more at Infobyte Security as well as a full list of commands available including some specifically for the OptraImage at India Study Channel.

df:/home/df # finger setup@1.2.3.4
[1.2.3.4/1.2.3.4]

Ethernet 10/100

Network Card
Status: Connected
Speed, Duplex: 100 Mbps, Full Duplex (Auto)
Current Date and Time: 1970-01-16 11:07
End-of-Job Timeout: 90
UAA: 0020004E195C
LAA: 000000000000
Part Number: 56P2129
EC: 5C0027
Firmware Version: LC.MD.P107
Compi: 28-Nov-06 17:27, mls-bld
Password: Not Set

USB 1
NPAP Active: Yes
NPA Mode: Auto
Printer Type: Lexmark T650

TCP/IP
Active: On
Enable DHCP: Off
Enable BOOTP: Off
AutoIP: Off
Address Source: Manual
Address: 1.2.3.4
Netmask: 255.255.255.0
Gateway: 1.2.3.1
Fully Qualified Domain Name: test.example.org
WINS Status: Unregistered
WINS Server: 0.0.0.0
Zero Configuration Name: Lexmark N4000e
df:/home/df #

Jenkins /account/passwordReset Account Name Enumeration

January 7, 2014

Jenkins contains a minor information disclosure flaw in the /account/passwordReset page. When giving it a username or email address it will verify if it is valid:

jenkins-0

jenkins-1

jenkins-2

D-Link DS-624S Multiple Vulnerabilities

December 16, 2013

The D-Link DS-624S router (Shodan search) contains two default unpassworded accounts according to the user manual.

admin / (blank)
user / (blank)

In addition, the /Tools/tools_admin.htm page will send the cleartext admin password hash (in 10 different places) over HTTP (CVE-2013-78001).

DS-624S-disc1

ASUS WL520gu Wireless Router Multiples Vulnerabilities

December 6, 2013

The ASUS WL520gu Wireless Router (Shodan search) has a default account of admin/admin. It uses basic authentication so the “logout” function doesn’t properly terminate the web application session allowing persistent access from the browser that previous authenticated to it.

Also there are two pages that return cleartext passphrases and obscure them with javascript:

http://localhost/Basic_GOperation_Content.asp
WPA-PSK passphrase returned in clear (CVE-2013-78002):
wl520-passphrase

http://localhost/Advanced_Wireless_Content.asp
WPA Pre-Shared Key returned in clear (CVE-2013-78003):
wl520-wpa_preshared

By default telnet is enabled allowing remote admin access using the same default:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
WL-0022159F09A9 login: admin
Password:
[admin@WL-0022159F09A9 root]$ cd /etc
[admin@WL-0022159F09A9 etc]$ cat passwd
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/usr/local/root:/bin/sh
nobody:x:99:99:nobody:/:/sbin/nologin
[admin@WL-0022159F09A9 etc]$

WampServer phpinfo() Information Disclosure

October 22, 2013

Ran across a saved Shodan search for WampServer, a development platform. Without authentication it gives up all the phpinfo() information from a link on the main page:

wampserver-1

wampserver-2

Arris WTM652 Router

October 21, 2013

The Arris WTM652 Router and maybe other models contain two problems. (Shodan search)

1: By default it ships without a password

arris-default

arris-default2

2. Information disclosure

Without authenticating the router gives up quite a bit of information and lets you access this information:

arris-disclose1

After authenticating it sends the wireless password in the clear (no HTTPS):

arris-disclose2