Title: Cimetrics BACnet Explorer 4.0 XXE Vulnerability
Advisory ID: ZSL-2017-5398
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (3/5)
Release Date: 12.02.2017

Summary

The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices.

Description

BACnetExplorer suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project file.

Vendor

Cimetrics, Inc. - https://www.cimetrics.com

Affected Version

4.0.0.0

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[30.01.2017] Vulnerability discovered.
[31.01.2017] Vendor contacted.
[11.02.2017] No reply from the vendor.
[12.02.2017] Public security advisory released.

PoC

bacnetexplorer_xxe.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/41321/
[2] https://cxsecurity.com/issue/WLB-2017020121
[3] https://packetstormsecurity.com/files/141054
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/122001

Changelog

[12.02.2017] - Initial release
[18.02.2017] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk