lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201010011019.o91AJF45024671@www3.securityfocus.com>
Date: Fri, 1 Oct 2010 04:19:15 -0600
From: info@...efence.ru
To: bugtraq@...urityfocus.com
Subject: [STANKOINFORMZASCHITA-10-01] Netbiter® webSCADA  multiple
 vulnerabilities

[STANKOINFORMZASCHITA-10-01] Netbiter® webSCADA – multiple vulnerabilities 

Authors: Eugene Salov (eugene@...efence.ru), Andrej Komarov (komarov@...efence.ru) 
Product: Netbiter® webSCADA 
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0
Availability of exploit: Yes

Product description:
Netbiter® webSCADA (WS100/WS200) is one of polular products in industrial automation, allowing to organize remote access to field devices based on MODBUS TCP through Ethernet, GSM, GPRS channels. The Netbiter is equipped with both Ethernet and a built-in GSM/GPRS modem for communication to remote equipment. This means that it can both communicate over an Ethernet LAN and wireless using the built-in modem. In addition it also supports an external GPS receiver to keep track of its geographical position. Netbiter solution had embedded WEB-server and HMI, which provides management functions by operations on detection of alarms and emergencies with the subsequent notification by SMS, E-mail, SNMP protocol.
URL: Intellicom Innovation AB (http://www.intellicom.se)

Vulnerability description:
1. Local File Disclosure (WASC Web Application Threat Classification):
/cgi-bin/read.cgi?page=../../../../../../../../../../../etc/passwd%00

2. Users information disclosure:
/cgi-bin/read.cgi?file=/home/config/users.cfg

3. An opportunity of malware code uploading by injection of special crafted GIF-image on the logo page modifying:
/cgi-bin/read.cgi?page=config.html&file=/home/config/pages/2.conf&section=PAGE2
 
In the context of GIF-image can be hidden special malware code («Web-shell»), which will be used for SCADA server management and unauthorized OS commands execution.

Solution:
There is no available security update for now. It is highly recommended not to use default passwords for user authorization. Moreover, additionally you can use ACL lists for allowing access only from trusted hosts. Another additional mesaure of safety is using of Web Application Firewalls (WAF) and IPS/IDS systems in the area where SCADA system is located. 

About STC «STANKOINFORMZACHITA»:
Science Technology Center (STC) «STANKOINFORMZACHITA» is the leading russian information security company in sphere of automation and industrial security, providing information security consulting services, information security audit, penetration tesing of SCADA and industrial control systems. 

Contact: info@...efence.ru
Russia, Moscow, Bolshaya Bochtovaya st., 26, Business Center
Tel.: +7 (495) 790-16-60
http://itdefence.ru  

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ