Westpoint Security Advisory --------------------------- Title: Ektron CMS400.NET Directory Traversal Vulnerability Risk Rating: High Platforms: ASP.net (Windows) Discovered by: Richard Moore and Rohan Stelling Author: Paul Jones Date: 06 Oct 2009 Advisory ID#: wp-09-0008 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0008.txt CVE: Overview -------- The Ektron CMS processes untrusted XML data using a parser configured to allow the definition of external entities. Details ------- The flaw was discovered via a web service that appeared to be provided for development purposes, though it is likely that the same flaw could be exploited through other web services should an attacker be willing to disrupt the operation of the site. The page located at the URL below allows an attacker to specify some input XML and an XSLT stylesheet to be applied. http://www.example.com/WorkArea/ServerControlWS.asmx?op=TransformXslt By specifying a malicious stylesheet that defines an external entity an attacker can cause the server-side XML processor to include the contents of local files and return them. An example stylesheet that returns the contents of the file win.ini is shown below: ]> &test; The stylesheet defines an XML entity called 'test' which is defined as the content of the file ../../win.ini. Entering this and pressing the 'Invoke' button returns the contents of the file to the attacker's browser. Using this mechanism we were able to access a number of files from the server including sensitive files such as the install logs and logs from IIS (Microsoft Internet Information Server). We demonstrated that any text file stored on the server is accessible to an attacker, and it is likely the attack could be extended to include binary files as well. In addition to allowing the content of an entity to be loaded from a local file the XML parser also allows us to load content over the network. This can be accomplished by replacing the path to win.ini with a URL. The URL can include parameters allowing arbitrary HTTP GET requests to be performed. This facility renders an attack on the internal network of the host running the CMS possible (bypassing any firewall in use). Connecting to an open port gave different results from connecting to one which was closed. This allowed us to develop a tool to perform a portscan of the host. These ports would otherwise be protected against external access by the firewall. It is important to note that no credentials were required in order to perform this attack. It is possible to exploit this vulnerability both through the web form shown above, and directly through the SOAP interface itself. Impact ------ An attacker can read arbitrary files from the server including detailed information about the applied patches, log files, source code, database credentials etc. Using the ability to access URLs an attacker can perform attacks against any internet accessible website with the attack appearing to originate from the www.example.com server. Further, they can attack hosts reachable from the same internal network as the www.example.com server bypassing the protection offered by the perimeter firewall entirely. Timeline -------- 17 Jul 2008 Ektron informed of the vulnerability