← Advisories

CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval

High
Advisory ID
ZSL-2016-5338
Release Date
08 July 2016
Vendor
CyberPower Systems, Inc. - https://www.cyberpowersystems.com
Affected Version
3.1.2 (37567) Business Edition
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 EN, Microsoft Windows 8, Microsoft Windows Server 2012, Linux (64bit), MacOS X 10.6, Jetty(7.5.0.v20110901), Java/1.8.0_91-b14, SimpleHTTP/0.6 Python/2.7.1
Summary

The PowerPanel® Business Edition software from CyberPower provides IT professionals with the tools they need to easily monitor and manage their backup power. Available for compatible CyberPower UPS models, this software supports up to 250 clients, allowing users remote access (from any network PC with a web browser) to instantly access vital UPS battery conditions, load levels, and runtime information. Functionality includes application/OS shutdown, event logging, hibernation mode, internal reports and analysis, remote management, and more.

Description

PowerPanel suffers from an unauthenticated XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xmlservice servlet using the ppbe.xml script is not sanitized while parsing the xml inquiry payload returned by the JAXB element translation.

C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\ ------------------------ XmlServiceServlet.class: ------------------------ 94: private InquirePayload splitInquirePayload(InputStream paramInputStream) 95: throws RequestException 96: { 97: try 98: { 99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry"); 100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller(); 101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream); 102: return (InquirePayload)localJAXBElement.getValue(); 103: } 104: catch (JAXBException localJAXBException) 105: { 106: localJAXBException.printStackTrace(); 107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed."); 108: } 109: }
Proof of Concept
powerpanel_xxe.txtTXT
Disclosure Timeline
22.06.2016Vulnerability discovered.
23.06.2016Contact with the vendor.
04.06.2016No response from the vendor.
05.07.2016Contact with the vendor.
07.07.2016No response from the vendor.
08.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40077/
[2]https://packetstormsecurity.com/files/137819
[3]https://cxsecurity.com/issue/WLB-2016070053
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/114882
Changelog
08.07.2016Initial release
09.07.2016Added reference [1], [2] and [3]
13.07.2016Added reference [4]