Reverse Engineering Sitecore Vulnerabilities-2

8 months ago 72
BOOK THIS SPACE FOR AD
ARTICLE AD

Hello Curios, welcome to the another blog in the series of Reverse Engineering Sitecore Vulnerabilities. This time we’ll discuss the multiple vulnerabilities affecting the CIA triangle (Confidentiality, Integrity and Availability).

In this blog we’ll cover how anyone can read files from the Webroot, including license and config files.

As we know in Sitecore we’ve “api/sitecore/{controller}/{action}” which provides route mapping for the controllers.

If we look into the security bulletin from Sitecore, they’ve mentioned to disable the DeviceSimulator config, and remove the Sitecore.Mvc.DeviceSimulator.dll

Sitecore Security bulletin

Now in mentioned dll, there is controlled called SimulatorController in which there was an action called Preview as shown in the picture below -

Sitecore.Mvc.DeviceSimulator is mainly used for device simulation under the experience editor. more info here.

eventually this Preview action was calling Server.Execute method which leads us to LFI (local file inclusion).

As Server.Execute does not have any Controlling parameters and it does redirects us to any file.

Now that we know the vulnerability, exploitation of this vulnerability is very simple, for POC we can try to access the Sitecore license file.

hit the URL just by replacing the host name with your target -

https://<host-name>/api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview?previewPath=/App_Data/license.xml

moreover we can also download the backup files from the server.

I’ve automated the process of identifying the vulnerable sites with this vulnerability and I’m surprised that there are still many sites which are vulnerable to this.. even big giants!

We can apply the compatible hotfix provided by Sitecore from here.

That’s it in this part of series, Stay tuned for more of it!

References -

Sitecore Security BulletinAssetNote article on the multiple flaws in Sitecore
Read Entire Article