If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. This makes exploiting traditional XXE difficult. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. External Entity Injection (XXE) (hardened) This demonstrates that we can declare arbitrary entities.ģ. In the same error, we see that "thisdoesn't" was referenced, but not declared. "message" : "\n - with linked exception:\n"Īs you can see, the parser recognizes that "thisactuallyexists" was in fact declared. POST /api/v1.0/myself/resetPassword HTTP/1.1 Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory. It's worth noting that in version 5.4 the v1 API was deprecated.
If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE).
(just use the dork dude)Īxway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. It is designed to handle everything - from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing." "Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. Google Dork: intitle:"Axway SecureTransport" "Login"Īuthor: Dominik Penner / zer0pwn of Underdog Security
Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE This is a friendly neighborhood zeroday drop
0 kommentar(er)
