![is inductive automation ignition widely used is inductive automation ignition widely used](https://inductiveautomation.com/static/images/designer/AccelerateAppDev@2x.jpg)
The first vulnerability in this chain is an information leak, but not used as such in our exploit. Vulnerability 1: Unauthenticated Access to Sensitive Resource Now let’s get to the exploit chain we used at Pwn2Own. If you’re interested in reading more about it, check out Java Unmarshaller Security or this Foxglove Security Blog Post. It is out of the scope of this blog to explain Java deserialization, how it happens, and how devastating it can be. Since these are all very simple types, the mechanism described here is an effective way to stop most Java deserialization attacks. It only allows the following object types to be deserialized:
![is inductive automation ignition widely used is inductive automation ignition widely used](https://inductiveautomation.com/static/images/whats_new/BuiltForDesigners-Laptop.jpg)
Before we dive into that, let's look at what a signer() request looks like:Īs it can be seen in the snippet above, the default allow list ( DEFAULT_WHITELIST) is very strict.
#Is inductive automation ignition widely used code
Usually, performing client-server communications with serialized Java objects can lead to direct code execution, but in this case, it is not that simple. Its code resides in the .servlets.Gateway class. It communicates with clients using XML containing serialized Java objects. Only a few can be called by an unauthenticated user. This API endpoint allows the user to perform remote function calls. Several API endpoints are listening on that port, but the one we’re concerned with is at /system/gateway.
![is inductive automation ignition widely used is inductive automation ignition widely used](https://aws1.discourse-cdn.com/business4/uploads/inductiveautomation/optimized/3X/5/5/551b163e6de56307e5cbceda03f3fdf2aa602ea8_2_1035x706.png)
The main ports are TCP 8088 and TCP/TLS 8043, which are used to control the administrative server over HTTP(S) and handle communication between various Ignition components. Ignition listens on a large number of TCP and UDP ports, as it has to handle several SCADA protocols in addition to its primary functionality. Before we dig deep into the vulnerabilities, let’s cover some background information on Ignition and the /system/gateway endpoint.