Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers

Title: Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Advisory ID: ZSL-2016-5306
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.02.2016
Summary
Ignition is a powerful industrial application platform with fully integrated development tools for building SCADA, MES, and IIoT solutions.
Description
Remote unauthenticated atackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following:

- On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an 'IllegalCharacter' exception on line 1186, passing in the illegal character and a shared buffer.

--------------------------------------------------------------------------------

File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163: case HEADER_VALUE:
1164: if (ch>HttpTokens.SPACE || ch<0)
1165: {
1166: _string.append((char)(0xff&ch));
1167: _length=_string.length();
1168: setState(State.HEADER_IN_VALUE);
1169: break;
1170: }
1171:
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173: break;
1174:
1175: if (ch==HttpTokens.LINE_FEED)
1176: {
1177: if (_length > 0)
1178: {
1179: _value=null;
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181: }
1182: setState(State.HEADER);
1183: break;
1184: }
1185:
1186: throw new IllegalCharacter(ch,buffer);

--------------------------------------------------------------------------------

Vendor
Inductive Automation - http://www.inductiveautomation.com
Affected Version
7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Ubuntu Linux 14.04
Mac OS X
HP-UX Itanium
Jetty(9.2.z-SNAPSHOT)
Java/1.8.0_73
Java/1.8.0_66
Vendor Status
[14.01.2016] Vulnerability discovered.
[20.01.2016] Vendor contacted.
[15.02.2016] No response from the vendor.
[16.02.2016] Public security advisory released.
[22.02.2016] Vendor informs that version 7.8.1 is patched with Jetty 9.3.3v20150827.
PoC
ignition_bufferbleed.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
[2] https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
[3] http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
[4] https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
[6] https://cxsecurity.com/issue/WLB-2016020156
[7] https://packetstormsecurity.com/files/135804
[8] https://www.exploit-db.com/exploits/39455/
[9] http://www.vfocus.net/art/20160222/12576.html
[10] https://www.incibe.es/securityAdvice/CERT_en/ics_advisories/Inductive_Automation_Ignition
Changelog
[16.02.2016] - Initial release
[17.02.2016] - Added reference [6] and [7]
[18.02.2016] - Added reference [8]
[22.02.2016] - Added vendor status and reference [9] and [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk