Westpoint Security Advisory
---------------------------

Title:         Ektron CMS400.NET Directory Traversal Vulnerability
Risk Rating:   High
Platforms:     ASP.net (Windows)
Discovered by: Richard Moore <rich@westpoint.ltd.uk> and Rohan Stelling
Author:        Paul Jones <paul.jones@westpoint.ltd.uk>
Date:          06 Oct 2009
Advisory ID#:  wp-09-0008
URL:           http://www.westpoint.ltd.uk/advisories/wp-09-0008.txt
CVE:          

Overview
--------

The Ektron CMS processes untrusted XML data using a parser configured to allow
the definition of external entities.


Details
-------

The flaw was discovered via a web service that appeared to be provided for
development purposes, though it is likely that the same flaw could be
exploited through other web services should an attacker be willing to disrupt
the operation of the site.  The page located at the URL below allows an
attacker to specify some input XML and an XSLT stylesheet to be applied.

http://www.example.com/WorkArea/ServerControlWS.asmx?op=TransformXslt

By specifying a malicious stylesheet that defines an external entity an
attacker can cause the server-side XML processor to include the contents of
local files and return them. An example stylesheet that returns the contents
of the file win.ini is shown below:

<?xml version="1.0"?>
<!DOCTYPE test [ <!ENTITY test SYSTEM "../../win.ini">]>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/">
&test;
</xsl:template>
</xsl:stylesheet>

The stylesheet defines an XML entity called 'test' which is defined as
the content of the file ../../win.ini. Entering this and pressing the
'Invoke' button returns the contents of the file to the attacker's
browser.

Using this mechanism we were able to access a number of files from the server
including sensitive files such as the install logs and logs from IIS
(Microsoft Internet Information Server). We demonstrated that any text file
stored on the server is accessible to an attacker, and it is likely the attack
could be extended to include binary files as well.

In addition to allowing the content of an entity to be loaded from a local
file the XML parser also allows us to load content over the network. This can
be accomplished by replacing the path to win.ini with a URL. The URL can
include parameters allowing arbitrary HTTP GET requests to be performed.

This facility renders an attack on the internal network of the host running
the CMS possible (bypassing any firewall in use). Connecting to an open port
gave different results from connecting to one which was closed. This allowed
us to develop a tool to perform a portscan of the host.

These ports would otherwise be protected against external access by the
firewall. It is important to note that no credentials were required in order
to perform this attack.

It is possible to exploit this vulnerability both through the web form shown
above, and directly through the SOAP interface itself.


Impact
------

An attacker can read arbitrary files from the server including detailed
information about the applied patches, log files, source code, database
credentials etc. Using the ability to access URLs an attacker can perform
attacks against any internet accessible website with the attack appearing to
originate from the www.example.com server.  Further, they can attack hosts
reachable from the same internal network as the www.example.com server
bypassing the protection offered by the perimeter firewall entirely.


Timeline
--------

17 Jul 2008	Ektron informed of the vulnerability

			
Designed & Built by e3creative