CVE-2012-5357
published 2017-10-30CVE-2012-5357: Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.78%
99.2th percentile
Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ektron | ektron_content_management_system | <= 8.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit default URI base path is '/cms400min/'; monitor for POST requests to '/cms400min/WorkArea/ContentDesigner/ekajaxtransform.aspx' as a high-fidelity indicator of exploitation attempts. ↗
- →Successful exploitation results in code execution as NETWORK SERVICE; monitor for NETWORK SERVICE spawning unexpected child processes (e.g., cmd.exe, powershell.exe) from w3wp.exe or aspnet_wp.exe on Ektron CMS hosts. ↗
- →The Metasploit module drops a file to %WINDIR%\Temp\ during exploitation; monitor for new executable or text files written to that directory by the IIS worker process. ↗
- ·The default TARGETURI is '/cms400min/' but may vary per deployment; defenders should ensure monitoring covers all possible base paths for ekajaxtransform.aspx, not just the default. ↗
- ·The module was tested on Windows 2003 SP2 with Ektron CMS400 8.02; behavior on other OS/CMS version combinations may differ. ↗
- ·The HTTP_DELAY option (default 60 seconds) controls how long the exploit's HTTP server waits for the VBS payload callback; detection based on timing anomalies should account for this window. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ektron 8.02 - XSLT Transform Remote Code Execution (Metasploit)
exploitdb·2012-12-05
CVE-2012-5357 Ektron 8.02 - XSLT Transform Remote Code Execution (Metasploit)
Ektron 8.02 - XSLT Transform Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/exploit/file_dropper'
class Metasploit3 'Ektron 8.02 XSLT Transform Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
vulnerability exists due to the insecure usage of XslCompiledTransform, using a
XSLT controlled by the user. The module has been tested successfully on Ektron CMS
8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
SERVICE privileges.
},
'A
Metasploit
Ektron 8.02 XSLT Transform Remote Code Execution
metasploit
Ektron 8.02 XSLT Transform Remote Code Execution
Ektron 8.02 XSLT Transform Remote Code Execution
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.
No writeups or analysis indexed.
http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htmhttps://technet.microsoft.com/library/security/msvr12-016https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exechttp://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htmhttps://technet.microsoft.com/library/security/msvr12-016https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec
2017-10-30
Published