Sitecore v 8.x Deserialization RCE

vendor:

Sitecore

by:

Jarad Kopf

8.8

CVSS

HIGH

Deserialization RCE

502

CWE

Product Name: Sitecore

Affected Version From: Sitecore 8.0 Revision 150802

Affected Version To: Sitecore 8.0 Revision 150802

Patch Exists: YES

Related CWE: CVE-2019-11080

CPE: a:sitecore:sitecore:8.0_revision_150802

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2018

Sitecore v 8.x Deserialization RCE

Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.

Mitigation:

Sitecore released a patch for this vulnerability in April 2019.

Source

Exploit-DB raw data:

# Exploit Title: Sitecore v 8.x Deserialization RCE
# Date: Reported to vendor October 2018, fix released April 2019.
# Exploit Author: Jarad Kopf
# Vendor Homepage: https://www.sitecore.com/
# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
# Version: Sitecore 8.0 Revision 150802
# Tested on: Windows
# CVE : CVE-2019-11080 

Exploit: 

Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. 
When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. 
By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.