what you don't know can hurt you

Climatix BACnet/IP Communication Module Cross Site Scripting

Climatix BACnet/IP Communication Module Cross Site Scripting
Posted Jul 1, 2015
Authored by Juan Francisco

Climatix BACnet/IP communication module versions prior to 10.34 suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 9a92fe166396c753f6efff0bd794f245

Climatix BACnet/IP Communication Module Cross Site Scripting

Change Mirror Download
I. VULNERABILITIES
-------------------------

1. Reflected XSS Attack vulnerability in Climatix BACnet/IP communication
module from Siemens

2. Unrestricted upload of files


II. BACKGROUND
-------------------------

BACnet/IP communication modules help to integrate controller types POL6XX
of the Climatix family into BACnet networks


III. DESCRIPTION
-------------------------

1. XSS,Has been detected Reflected XSS vulnerability

http://IPDIRECTION/bgi/dumpfile.dll?")</b><script>alert("hacked");</script>


2. Unrestricted upload of files:

http://IPDIRECTION/bgi/filemanager.dll#upload

V. BUSINESS IMPACT
-------------------------

An attacker can execute arbitrary HTML or script code in a targeted
user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser
allowing Cookie Theft/Session Hijacking, thus enabling full access the
box.

The box can be compromised due to upload of files and execution.


VI. SYSTEMS AFFECTED
-------------------------

Climatix BACnet/IP communication module: All versions < V10.34


VII. SOLUTION
-------------------------

Siemens provides firmware update Climatix BACnet/IP communication module
V10.34 which fixes the vulnerability (XSS).

The new firmware update includes further security improvements (e.g. web
server
authentication enabled by default) due to vulnerabilities founded like
uncontrolled upload of files and unrestricted execution of dangerous
functions like "shell.exe" and "cmd.exe".

Siemens Security Advissory:
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-142512.pdf

ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-15-176-01

Detected and reported by J. Francisco Bolivar (es.linkedin.com/in/jfbolivar/)
@Jfran_cbit


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close