ModbusPal 1.6b - XML External Entity Injection


ModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments.The core of ModbusPal is written in Java. TCP/IP is supported natively, and the serial communication is supported if RxTx library is installed on the computer.ModbusPal is free and open source, released under the GPL license.
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.