One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351862 |
| Date de publication | 2015-08-24 10:29:17 (vue: 2015-08-24 10:29:17) |
| Titre | Exploiting the hidden Saxon XSLT Parser in Ektron CMS |
| Texte | Another vulnerability I came across was in Ektron CMS. It's a .NET-based Web CMS System. If you want to find running instances try "inurl:/workarea filetype:asmx" at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it. Summary From US CERT VU#110652: Ektron Content Management System version 8.5, 8.7, and 9.0 contain a resource injection vulnerability by using an improperly configured XML parser. By default, Ektron utilizes the Microsoft XML parser to parse XSLT documents, which is not vulnerable. If an attacker specifies use of the Saxon XSLT parser instead, and sends it a specially crafted XSLT document, the attacker may be able to run arbitrary code at the privilege level of the application. Vulnerability Details During information gathering, I found several Web services exposed on the Ektron CMS system. One of them was http://[host]/Workarea/ServerControlWS.asmx Looking at the WSDL, there was the SOAP method ContentBlockEx, having a parameter that nearly jumped into my face: xslt.  If you can get your data parsed by a XSLT parser, that's almost like hitting the jackpot. The problem was that Ektron already patched the vulnerability by hardening the MSXML parser. Nevertheless, XXE was still possible - but I couldn't get any helpful information out of the system. There was also another vulnerability that allowed me to list directories. Finally, I found the directory with all .net DLL's. After browsing through the directory, I finally found something interesting. There were several saxon9*.dlls. From my former times, I could remember that Saxon allows me to parse XSLT. So I had a look at the documentation at Saxon Function Library. Looking at the different namespaces, I found several interesting functions working with files, etc. After browsing through the Saxon documentation, I finally found an interesting paragraph Saxon Calling Static Methods in a .NET ClassFrom this, it seemed like I could call static functions of .net CRL classes from Saxon :-) So I created the following XSLT template: Putting it all together, the final SOAP request looks like this: Vendor ResponseI wasn't involved, although CERT tried to contact them with no luck. The fixEktron released a Security Update 2 (Releases 8.02 SP5 to 9.10 SP1). To my amazement, Ektron told CERT the following: This was patched via a cumulative security patcher that was made available Oct 9, 2013 that would apply the updates to versions 8.0.2 to 9.0. The current version of the patcher is available at: https://portal.ektron.com/News/Security/Security_Notice_-_11-25-14/ 8.7sp2 (released 8/16/2013), 9.0sp1 (relea |
| Envoyé | Oui |
| Condensat | /workarea/servercontrolws 016 0sp1 14/ 2012 2013 5357 7sp2 8/16/2013 8/19/2013 8/28/2014 able about across administrator after all allowed allows almost already also although amazement another any application apply arbitrary asmx at: attacker available based because browsing but call calling came can cert classes classfrom cms code com/news/security/security configured contact contain content contentblockex could couldn crafted created crl cumulative current cve data default details did different directories directory dll dlls document documentation documents don download during ektron etc exploit exploiting expose exposed face: files filetype:asmx final finally find fix fixektron fixes following following: former found from function functions gathering get google had hardening haven having helpful hidden hitting honest hopefully host http:// https://portal implemented improperly information initial injection instances instead interesting inurl:/workarea involved jackpot jumped latest level library like list localhost look looking looks luck made management may method methods microsoft msvr12 msxml namespaces nearly net nevertheless not notice oct one only out packs paragraph parameter parse parsed parser patched patcher place possible privilege problem public putting reconfigure released releases remember reported request resource responsei run running saxon saxon9* security seemed sends service services several soap something sp1 sp5 specially specifies statement static subsequent summary system template: that them thing think this: those through times together told tried true try update updates use using utilizes vector vendor verified version versions vu#110652: vulnerability vulnerable want wasn web what which working would wsdl xml xslt xxe yet your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.