Sitecore 8.x Deserialization Remote Code Execution

2019.06.14
Credit: Jarad Kopf
Risk: High
Local: No
Remote: Yes
CWE: CWE-502


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Sitecore v 8.x Deserialization RCE # Date: Reported to vendor October 2018, fix released April 2019. # Exploit Author: Jarad Kopf # Vendor Homepage: https://www.sitecore.com/ # Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx # Version: Sitecore 8.0 Revision 150802 # Tested on: Windows # CVE : CVE-2019-11080 Exploit: Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top