← Advisories

Cimetrics BACnet Explorer 4.0 XXE Vulnerability

Medium

Advisory ID

ZSL-2017-5398

Release Date

12 February 2017

Vendor

Cimetrics, Inc. - https://www.cimetrics.com

Affected Version

4.0.0.0

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)

Summary

The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices.

Description

BACnetExplorer suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project file.

Proof of Concept

bacnetexplorer_xxe.txtTXT

Disclosure Timeline

30.01.2017Vulnerability discovered.

31.01.2017Vendor contacted.

11.02.2017No reply from the vendor.

12.02.2017Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/41321/

[2]https://cxsecurity.com/issue/WLB-2017020121

[3]https://packetstormsecurity.com/files/141054

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/122001

Changelog

12.02.2017Initial release

18.02.2017Added reference [1], [2], [3] and [4]