Rapid7 Vulnerability & Exploit Database

Sitecore Experience Platform (XP) PreAuth Deserialization RCE

Back to Search

Sitecore Experience Platform (XP) PreAuth Deserialization RCE

Disclosed
11/02/2021
Created
11/16/2021

Description

This module exploits a deserialization vulnerability in the Report.ashx page of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest() handler that calls ProcessReport() with the context of the attacker's request without properly checking if the attacker is authenticated or not. This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will end up calling the DeserializeParameters() function of Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in the attacker's request. Then for each subelement named "parameter", the code will check that it has a name and if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is vulnerable to deserialization attacks and can be trivially exploited by using the TypeConfuseDelegate gadget chain. By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4 of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.

Author(s)

  • AssetNote
  • gwillcox-r7

Platform

Windows

Architectures

cmd, x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/sitecore_xp_cve_2021_42237
msf exploit(sitecore_xp_cve_2021_42237) > show targets
    ...targets...
msf exploit(sitecore_xp_cve_2021_42237) > set TARGET < target-id >
msf exploit(sitecore_xp_cve_2021_42237) > show options
    ...show and set options...
msf exploit(sitecore_xp_cve_2021_42237) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;