what you don't know can hurt you

TufinOS 2.1.7 Build 1193 XML Injection

TufinOS 2.1.7 Build 1193 XML Injection
Posted Nov 12, 2018
Authored by Konstantinos Alexiou

TufinOS version 2.1.7 build 1193 suffers from an XML external entity injection vulnerability.

tags | exploit
MD5 | ccd2c04ce995ab3a02c0fb45eeb538aa

TufinOS 2.1.7 Build 1193 XML Injection

Change Mirror Download
# Exploit Title: TufinOS 2.17 Build 1193 - XML External Entity Injection
# Exploit Author: konstantinos Alexiou
# Date: 2018-10-18
# Vendor: https://www.tufin.com
# Software Link: https://www.tufin.com/tufin-orchestration-suite/securetrack
# CVE: N/A
# Category: webapps

# 1. Description
# The SecureTrack application is vulnerable to XML External Entity injection.
# This attack is considered quite serious and can be used to:
# (1) Retrieve confidential data
# (2) Perform denial of service
# (3) Execute server side request forgery attacks
# (4) Perform port scanning through the machine on other systems

# The issue was identified inside the "Audit" > "Best Practices" module of the "SecureTrack"
# application when creating a new Best Practices query and manipulating the "xml" parameter
# in the request. When the vulnerability is triggered it doesn't directly return anything
# to the attacker but rather the contents of the requested file are written inside
# the name field of a best practices. This vulnerability affects every "SecureTrack"
# application authentication user role.

# 2. Proof of Concept
# Step 1: Login to the "SecureTrack" application using any user and then navigate to
# "Audit" > "Best Practices".
# Step 2: Create and submit a "New Query" while intercepting the traffic:
# Step 3: Send the request to repeater and change it to include the following
# payload after the "xml=" input field:
-->

<!DOCTYPE foo [<!ENTITY AAAA SYSTEM "file:///etc/passwd"> ]>

<!--

# The payload should be URL encoded before delivered to the application

# Step 4: Submit the request to the server.

# Step 5: Refresh your browser to view the new Best Practice that was created. The following image
# displays that the request was successfully processed by the server and a new Best Practice was
# created. The contents of the requested file "/etc/passwd" is saved as the name of the "Best Practice query".

# 3. Solution:
# Reconfigure the XML processor to use a local static DTD and disallow any declared DTD included in
# the XML document. Another solution is to explicitly disable External XML Entities in the parser of
# the application.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close