module
Sitecore Experience Platform (XP) PreAuth Deserialization RCE
| Disclosed | Created |
|---|---|
| 2021-11-02 | 2021-11-16 |
Disclosed
2021-11-02
Created
2021-11-16
Description
This module exploits a deserialization vulnerability in the Report.ashx page
of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.
Versions 7.2.6 and earlier and 9.0 and later are not affected.
The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll
under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()
handler that calls ProcessReport() with the context of the attacker's request without properly
checking if the attacker is authenticated or not.
This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will
end up calling the DeserializeParameters() function of
Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in
the attacker's request.
Then for each subelement named "parameter", the code will check that it has a name and
if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is
vulnerable to deserialization attacks and can be trivially exploited by using the
TypeConfuseDelegate gadget chain.
By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user
that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4
of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.
of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.
Versions 7.2.6 and earlier and 9.0 and later are not affected.
The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll
under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()
handler that calls ProcessReport() with the context of the attacker's request without properly
checking if the attacker is authenticated or not.
This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will
end up calling the DeserializeParameters() function of
Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in
the attacker's request.
Then for each subelement named "parameter", the code will check that it has a name and
if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is
vulnerable to deserialization attacks and can be trivially exploited by using the
TypeConfuseDelegate gadget chain.
By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user
that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4
of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.
Authors
AssetNote
gwillcox-r7
gwillcox-r7
Platform
Windows
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.