CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval

Title: CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
Advisory ID: ZSL-2016-5338
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 08.07.2016
Summary
The PowerPanel® Business Edition software from CyberPower provides IT professionals with the tools they need to easily monitor and manage their backup power. Available for compatible CyberPower UPS models, this software supports up to 250 clients, allowing users remote access (from any network PC with a web browser) to instantly access vital UPS battery conditions, load levels, and runtime information. Functionality includes application/OS shutdown, event logging, hibernation mode, internal reports and analysis, remote management, and more.
Description
PowerPanel suffers from an unauthenticated XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xmlservice servlet using the ppbe.xml script is not sanitized while parsing the xml inquiry payload returned by the JAXB element translation.

--------------------------------------------------------------------------------

C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------

94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
95: throws RequestException
96: {
97: try
98: {
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102: return (InquirePayload)localJAXBElement.getValue();
103: }
104: catch (JAXBException localJAXBException)
105: {
106: localJAXBException.printStackTrace();
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108: }
109: }

--------------------------------------------------------------------------------

Vendor
CyberPower Systems, Inc. - https://www.cyberpowersystems.com
Affected Version
3.1.2 (37567) Business Edition
Tested On
Microsoft Windows 7 Ultimate SP1 EN
Microsoft Windows 8
Microsoft Windows Server 2012
Linux (64bit)
MacOS X 10.6
Jetty(7.5.0.v20110901)
Java/1.8.0_91-b14
SimpleHTTP/0.6 Python/2.7.1
Vendor Status
[22.06.2016] Vulnerability discovered.
[23.06.2016] Contact with the vendor.
[04.06.2016] No response from the vendor.
[05.07.2016] Contact with the vendor.
[07.07.2016] No response from the vendor.
[08.07.2016] Public security advisory released.
PoC
powerpanel_xxe.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40077/
[2] https://packetstormsecurity.com/files/137819
[3] https://cxsecurity.com/issue/WLB-2016070053
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114882
Changelog
[08.07.2016] - Initial release
[09.07.2016] - Added reference [1], [2] and [3]
[13.07.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk